Integrity check of whole Inno Setup installer
We use Inno Setup for our installer. Recently a user reported the following error during installation:
An error occurred while trying to copy a file: the source file is corrupted
This was due to a setup file that was indeed corrupted somehow.
Ideally the setup EXE would have performed some kind of check upon initialization to see if the entire EXE was valid or not. But apparently it only did this on a file-by-file basis. Is it possible to get InnoSetup to do that?
I looked in Inno Setup documentation for keywords like 'check', 'hash', etc. but didn't see anything - perhaps I missed it.
Quite similar question (from about 10 years ago - though specifically asking about MD5): How to implement MD5 check into Inno Setup installer to get 'like NSIS integrity check'? . That question seemed to state that such a check should already be happening. So perhaps the issue is not whether or not the setup EXE is validated but when this information is used / shown to the user. Also the accepted answer seemed quite manual, ideally I'd like Inno to do this itself.
Similar question with a different error message: "Source file corrupted: SHA-1 hash mismatch" error from Inno Setup
Add a checksum to the installer and verify it when the installer is starting. A standard (and recommended) way to do that is to sign the installer using code signing certificate. It's a must anyway these days.
Easy way to verify the signature is using PowerShell Get-AuthenticodeSignature. You need PowerShell 5.1 for that. It is bundled with Windows 10 Build 14393 (August 2016) and newer. The following code uses that (and skips the check on older versions of Windows).
function InitializeSetup(): Boolean;
var
WindowsVersion: TWindowsVersion;
S: string;
ResultCode: Integer;
begin
Result := True;
GetWindowsVersionEx(WindowsVersion);
Log(Format('Windows build %d', [WindowsVersion.Build]));
// TODO: Better would be to check PowerShell version
if WindowsVersion.Build < 14393 then
begin
Log('Old version of Windows, skipping certificate check');
end
else
begin
S := ExpandConstant('{srcexe}');
if (Pos('''', S) > 0) or (Pos('"', S) > 0) then
RaiseException('Possible code injection');
S := 'if ((Get-AuthenticodeSignature ''' + S + ''').Status -ne ''Valid'') ' +
'{ exit 1 }';
if ExecAsOriginalUser(
'powershell', '-ExecutionPolicy Bypass -command "' + S + '"',
'', SW_HIDE, ewWaitUntilTerminated, ResultCode) and
(ResultCode = 0) then
begin
Log('Installer signature is valid');
end
else
begin
S := 'Installer signature is not valid. Are you sure you want to continue?';
Result := (MsgBox(S, mbError, MB_YESNO) = IDYES);
end;
end;
end;
If you need to support older versions of Windows, you will have to use more complicated methods, like:
- Bundling
signtoolwith the installer (not sure about license here); - Using
X509Certificateclass.
- How to set 'Run as administrator' on a file using Inno Setup
- Use Inno Setup UI as a self-extractor only - No installation
- Passing Custom command line parameter in Inno Setup to progams executable
- InnoSetup - how can you have inline comments in the setup source?
- Install file from Internet in Inno Setup
- InnoTools Downloader is failing with “Sorry, the files could not be downloaded”
- Download latest files during installation Inno Setup
- Setting SetupIconFile to certain icon changes also icon on Destination Location and Start Menu pages
- Can Inno Setup detect Windows11 on ARM64 hardware which can emulate x64?
- Inno Setup UninstallIcon Disappears
- Using VS C++ functions in Inno Setup
- How do I automatically set the version of my Inno Setup installer according to my application version?
- Inno Setup installer icon not changing
- Get a value from key=value text file (without sections) in Inno Setup?
- How do I fix maven error The JAVA_HOME environment variable is not defined correctly?
- How to add .arc decompression to Inno Setup?
- How to decompress archive file with progress and cancel button in Inno Setup using unarc
- How to skip custom page based on setup type in Inno Setup
- Cannot read value in Inno Setup Pascal Script from an array defined by #define preprocessor
- How to create two LicenseFile pages in Inno Setup
- Check parameter function in UninstallRun does not work correctly
- How to Lighten or Darken a specified TColor in Inno Setup Pascal Script?
- Show install directory in Inno Setup, but do not allow change?
- Iterate over Inno Setup [Files] section in Pascal code
- How to allow installation only to a specific folder?
- How to access the ItemIndex property of the TNewComboBox class?
- How to update Inno Setup AppVersion [Setup] value from Config.xml file
- Inno Setup post-install program launches, installer still "active"
- Detecting .NET 8 desktop runtime is installed in Inno Setup
- How to check if a string is a number in Inno Setup