Julia: Windows uninstaller is not signed

Why do you want to uninstall julia?

I like having only the latest patch version for a given minor release.

@staticfloat @musm Is this something that is straightforward to address when we put together our windows installer? Is it one more thing to sign, or is it more involved than that?

I believe the uninstaller is somehow generated at install time, so no, we can't sign it. @musm please correct me if I'm wrong here.

It seems like there is a mechanism for it: https://jrsoftware.org/ishelp/index.php?topic=setup_signeduninstaller

I believe the uninstaller is somehow generated at install time, so no, we can't sign it. @musm please correct me if I'm wrong here.

Yes that's 100% correct. The only option is to move generation of the installer to the build-bot code. That way we can pass the signtool directly to the installer.

@musm can you help me figure out the right command line for the /S flag?

I need to pass something like signtool.exe /flag1 /flag2 url etc... How do I pass all that through /S?

I believe the following should work. The only issue I'm having is with spaces in path names and getting things to work through cygwin.

Essentially we need to add

"/Ssigntool='C:\Program Files\ (x86)\Windows Kits\10\App Certification Kit\signtool.exe' sign /f C:\Folder\mycert.pfx /p "MyCertificatePassword" $f" 

to the command https://github.com/JuliaLang/julia/blob/master/Makefile#L471

And modify https://github.com/JuliaLang/julia/blob/master/contrib/windows/build-installer.iss#L48 by adding SignTool=signtool $f under [Setup]

@staticfloat is your idea to add this to the buildbot code and how does that look like? AFAIK the iscc inno-setup compiler will have to be installed by the buildbot in order to use it from there.

Updates, here's the trick to get this to work, which I finally got after trying endless combinations due to the double layer of path translations when calling things through cygwin and all the escaping, which makes things an absolute mess:

1. Modify https://github.com/JuliaLang/julia/blob/master/contrib/windows/build-installer.iss#L48 by adding SignTool=mysigntool under [Setup] (important)

2. Add

"/Smysigntool=\$q`cygpath -w /cygdrive/c/Program\ Files\ \(x86\)/Windows\ Kits/10/bin/10.0.19041.0/x64/signtool.exe`\$q sign /f \$q`cygpath -w /cygdrive/c/Users/Mus/Code/julia/mycert.pfx`\$q /p Pass123 \$f"

to the command https://github.com/JuliaLang/julia/blob/master/Makefile#L471 (I added it soon after iscc.exe

• $f filename

• $q adds quotes so that spaces don't get lost

• Please note \$ need to get escapd when called through cygwin and also note the `cygpath -w path\ with\ spaces`

Note: I obtained signtool.exe by extracting the Windows SDK Iso.

Making these changes, this will sign the Installer and Uninstaller, thus previous code that signs the installer should be removed, since this already takes care of things.

fixed

thanks @staticfloat for the help and working with me on this

Do we already have new 1.5.1 windows binaries, it is that the next step to rebuild them and upload?

Really nice to have this sorted for 1.6.