Integrity check of whole Inno Setup installer
We use Inno Setup for our installer. Recently a user reported the following error during installation:
An error occurred while trying to copy a file: the source file is corrupted
This was due to a setup file that was indeed corrupted somehow.
Ideally the setup EXE would have performed some kind of check upon initialization to see if the entire EXE was valid or not. But apparently it only did this on a file-by-file basis. Is it possible to get InnoSetup to do that?
I looked in Inno Setup documentation for keywords like 'check', 'hash', etc. but didn't see anything - perhaps I missed it.
Quite similar question (from about 10 years ago - though specifically asking about MD5): How to implement MD5 check into Inno Setup installer to get 'like NSIS integrity check'? . That question seemed to state that such a check should already be happening. So perhaps the issue is not whether or not the setup EXE is validated but when this information is used / shown to the user. Also the accepted answer seemed quite manual, ideally I'd like Inno to do this itself.
Similar question with a different error message: "Source file corrupted: SHA-1 hash mismatch" error from Inno Setup
Add a checksum to the installer and verify it when the installer is starting. A standard (and recommended) way to do that is to sign the installer using code signing certificate. It's a must anyway these days.
Easy way to verify the signature is using PowerShell Get-AuthenticodeSignature. You need PowerShell 5.1 for that. It is bundled with Windows 10 Build 14393 (August 2016) and newer. The following code uses that (and skips the check on older versions of Windows).
function InitializeSetup(): Boolean;
var
WindowsVersion: TWindowsVersion;
S: string;
ResultCode: Integer;
begin
Result := True;
GetWindowsVersionEx(WindowsVersion);
Log(Format('Windows build %d', [WindowsVersion.Build]));
// TODO: Better would be to check PowerShell version
if WindowsVersion.Build < 14393 then
begin
Log('Old version of Windows, skipping certificate check');
end
else
begin
S := ExpandConstant('{srcexe}');
// Possibly this check be might need to be more strict
// (e.g. allowing only letters, digits and dots)
if (Pos('''', S) > 0) or (Pos('"', S) > 0) then
RaiseException('Possible code injection');
S := 'if ((Get-AuthenticodeSignature ''' + S + ''').Status -ne ''Valid'') ' +
'{ exit 1 }';
if ExecAsOriginalUser(
'powershell', '-ExecutionPolicy Bypass -command "' + S + '"',
'', SW_HIDE, ewWaitUntilTerminated, ResultCode) and
(ResultCode = 0) then
begin
Log('Installer signature is valid');
end
else
begin
S := 'Installer signature is not valid. Are you sure you want to continue?';
Result := (MsgBox(S, mbError, MB_YESNO) = IDYES);
end;
end;
end;
If you need to support older versions of Windows, you will have to use more complicated methods, like:
- Bundling
signtoolwith the installer (not sure about license here); - Using
X509Certificateclass.
- Can Inno Setup compiler halt upon Exec() preprocessor function failure?
- Require minimum Inno Setup compiler version
- Inno Setup preprocessor: Conditionally activate a #define (e.g. only when a certain Registry value is set)
- How can I pass command line parameters with a value to the Inno Setup Compiler, so I can use them in my code?
- Delete (or do not create) Start menu shortcuts in Inno Setup when compiler flag is set
- Conditionally include folders in Inno Setup
- How to use Inno Setup preprocessor directive in [Code] section?
- Writing program version to INI file in Inno Setup at compile time
- Return output filename generated by Inno Setup preprocessor to a batch script
- Read source path from a registry on compile time in Inno Setup
- How do I see the output (translation) of the Inno Setup Preprocessor?
- Set default icon when specified path does not exist
- Choose between source paths for all files
- Custom command line parameter in Inno Setup with default value so I can pass build configuration
- Passing in version number to Inno Setup compiler
- Include once capability in Inno Setup Preprocessor?
- Start menu folder created by Inno Setup is not showing
- Returning a string from a C# DLL with Unmanaged Exports to Inno Setup script
- Why do we use '&' character in Inno Setup?
- How do I create a Start Menu folder with Inno Setup?
- Why preprocessor behaves differently in #include directive then in [Files] section Inno Setup script
- Find a directory using wildcard in Inno Setup
- How to get the file name of the current Inno Setup script file?
- Copying hidden external files in Inno Setup
- Inno Setup built-in control names
- How to use ISPP to split a file size into lo / hi bits for the DwinsHs_Check function
- Inno Setup Get size of a file over 2GB limit opened in another application
- Emit new line in Inno Setup preprocessor
- Is it possible to generate user defined Info/Warning message from Setup section in Inno Setup?
- Can Inno Setup Preprocessor be used to build a duplicated set of custom messages?