How-to guide: a one-click Mac and Win installer creation method on OS X

Add-Ons
1

Hi folks,

I’ve been spending some time over the last few days working on a one-click method of creating installers. As background, I work on a Mac, but build consumer apps for Mac and Windows. In the past we’ve been using a combination of Build Automation and good ol’ manual labour to sign the apps, create the DMGs for them and so on, but the process is long and tedious and fraught with errors.

What I really wanted was a way to click one button - just one - and have it build my Mac and Windows apps, sign the Mac app, make a DMG for me, then make a Windows .exe installer, sign that, and put it all in one place. Turns out it’s possible, using a combination of various different programs (App Wrapper, DMG Canvas, KSign, InnoScript Studio, InnoSetup) along with Parallels on a Mac.

Sorry, Windows folks, but this is a guide for people coding on Macs, but wanting to make Mac and Windows installers. I don’t know if it’s possible to do a similar thing on Windows.

I should point out that there may well be a better way of doing this using various other tools, but I’ve not found it yet - and, from the look of things on the forums, I’m not sure anyone else has, either. I wouldn’t class myself as a techie, just someone who can break a big problem down into lots of little problems and then solve all of them one by one. If you’re tempted to comment ‘why didn’t you do it x way?’ to anything, my answer will almost certainly be ‘because I didn’t know you could’! I’ll be interested to hear how the process could be improved.

Hopefully it’ll be of use to people; even if not, it’s been an enjoyable few days digging round in the bowels of my machine.

H

PS This could be neatly extended to produce things like DSA signatures, MD5 checksums and so on, and even call a separate command-line utility to FTP those files up to a server somewhere, so you could turn it into a single-click release mechanism. I thought that it was complicated enough already, though!

Word document guide, video walk through and supporting files at https://dl.dropboxusercontent.com/u/15108631/One-Click%20Build.zip

2

Nice work! This is lot like how we do it too. And we use the same tools.

Our only problem is that we can’t automate the kSign process because we have a dozen different apps for various clients to CodeSign. We’ve not found a way to start kSign, change the certificate and change the required files and directories.

If we figured out that ONE thing we could, with one click, build Mac code signed apps with DMG’s and Windows code signed with Installer and then create an AppCast file with all the appropriate information. As it is, it’s quite a slow process to make the Windows installers since kSign is the weak/slowest link in the process.

If you only have one app you’ll ever work on what you’ve written works well. For us, it’s missing the an automation piece.

3

Well, the kSign bit of it is called from a command line:

start /wait "" "c:\\Program Files\\kSign\\kSignCMD.exe" /f "<PATH TO PFX>" /p "<PASSWORD>" "C:\\OCB\\Output\\setup-ocb.exe"

so couldn’t you sign the various apps like that?

4

(I’m not starting the GUI for kSign at all in the process I describe…)

5

IF you want to submit apps to the app store you must sign them on a Mac
Not sure you can build a DMG on Windows either

6

Norman, it seems it’s possible: http://stackoverflow.com/questions/286419/how-to-build-a-dmg-mac-os-x-file-on-a-non-mac-platform
But I think the code signing would be a bit of a show-stopper.

7

How do I tell kSign what files and directories to sign? If I only have one app to sign I set it up once.

Oh, I see a potential problem in your process. You need to code sign the output first, including the app exe and libraries. And THEN use InnoSetup to create the installer. As part of the InnoProcess you can code sign the Setup and Uninstaller files. No need to use kSign afterwards on the Setup file since Inno does that for you.

Or, at least, that’s what I believe needs to be done. If you don’t code sign the App before using the installer what do you get when you right click on the executable after it’s installed? I suspect that it’s not code signed and therefore it might cause UAC issues.

8

Thanks! Will have a look. Building apps is tedious. I’m still waiting for the command-line building. This will make many things simpler when building because I got a helper app, a main app and an installer app.

9

Bob -

I’ve only ever signed the installer file, and never had any of our (many thousand) Windows users saying that something’s not signed…

Right-clicking on the executable after it’s installed doesn’t give me anything interesting; it doesn’t yammer ‘not signed! not signed!’ at me, or anything like that. It doesn’t have a Digital Signatures tab, though.

The command-line version of kSign lets you specify the file you want to sign - for me it’s the setup-ocb.exe - so you could run the kSignCMD.exe a number of times for the various files you want to sign?

H

10

Indeed Smart Screen only tests the installer.

I do sign also the executable to make sure of the integrity of the exe.

11

Right, but that means that only the installer is signed and not the actually application. This also means that anyone could replace any files without the OS batting an eye so it’s really a security risk. No may have complained yet but it’s also not really all that secure.

[quote=204282:@Hamish Symington]Right-clicking on the executable after it’s installed doesn’t give me anything interesting; it doesn’t yammer ‘not signed! not signed!’ at me, or anything like that. It doesn’t have a Digital Signatures tab, though.
[/quote]

The application isn’t signed. Period. Only your installer is signed.

That is only the installer application. If you code sign through InnoSetup you can get both the installer and uninstaller signed as well and you have no need of kSign.

In my InnoSetup file I have the following two lines:

SignedUnInstaller=yes SignTool=kAConstantNameForMyApplication /d $qMyAppName$q /du $qhttp://www.myappurl.com$q $f
To set up the code sign tool in Inno, go to the Tools menu and select “Configure Sign Tools”.

To quote Wikipedia on code signing:

If you don’t code sign the application and its libraries you cannot make that guarantee. A malicious hacker could replace a DLL or even the executable and there’s nothing that anyone can do about it. Code signing the installer is just one step in the process and you’re not complete unless you do both.

12

Please forgive my ignorance about the Windows world: what is necessary in order to code signe a windows app? I mean: do I have first to register myself somewhere as I do for Apple Developer?

13

You have to purchase a code signing certificate. We use http://codesigning.ksoftware.net. You sign up, pay your fee, and then they will verify your identity. After approved, they send you the certificate that you can use the code sign your apps.

If your app is code signed you won’t have the dialog pop up in Windows saying that this app is from an unknown publisher. Do you really want to open it?

14

Thank you, Bob.

15

Can you do any Windows EXEs? We’ve been moving to Xojo the past few years but still have a couple of VB6 programs that we maintain. Can those be signed as well with the same certificate?

16

Yes, any. You can sign any exe with your certificate, independently from the tool you created it with.

As mentioned by Bob, you can get your code signing certificate from ksoftware.net and there you can download the utility kSign to actually sign your files. Again: you have to sign your program and also your installer.

http://codesigning.ksoftware.net/

17

Great, I’ll check into it this week. Thanks, Oliver.

18

Its been over a month and I still dont have a certificate from KSOftware/ Comodo
Last I heard they would contact me if they needed any info.
Nada

I’m going to struggle with their arbitrary confirmation rules.
Those instructions will include a list of documentation Comodo needs to see in order to issue the certificate - a business license, corporation paperwork, etc, the entire list will be in their email and what you need to send depends on the details of your order
I’m a small UK business. I don’t have, or know what a business license is, I dont have ‘corporation paperwork’…
Or a certificate… :frowning:

19

What I was looking into a while ago was to complete the whole building, signing and installer-building process for Windows apps on a mac, without the need to process steps on a (virtual) Windows box. It seems doable, but I didn’t find the time to build an test a workflow, yet: there is osslsigntool a OpenSSL based signtool at http://osslsigncode.sourceforge.net/ and the Nullsoft installer NSIS can build it’s packages on any POSIX system: http://nsis.sourceforge.net/ Both can be installed easily using homebrew on the Mac.

Does anybody have experience with such a workflow or these tools?

20

[quote=204419:@Jeff Tullin]Its been over a month and I still dont have a certificate from KSOftware/ Comodo
Last I heard they would contact me if they needed any info.
Nada

I’m going to struggle with their arbitrary confirmation rules.
Those instructions will include a list of documentation Comodo needs to see in order to issue the certificate - a business license, corporation paperwork, etc, the entire list will be in their email and what you need to send depends on the details of your order
I’m a small UK business. I don’t have, or know what a business license is, I dont have ‘corporation paperwork’…
Or a certificate… :([/quote]

As a sole owner business, all you should provide is the license registration with the authorities. In Los Angles, the paperwork used to be the clippings from the paper establishing the name of the business and the registration at City Hall.

In general, as an individual, all they require a notarized copy of a passport, possibly a utility bill. They usually afterward call you within a couple days to confirm.

The best you can do is to contact them and get this sorted out.