github.com/henvic/wedeploycli@v1.7.6-0.20200319005353-3630f582f284/update/internal/installer/README.md

github.com/henvic/wedeploycli@v1.7.6-0.20200319005353-3630f582f284/update/internal/installer/README.md (about)

     1  # Installer (auto update + run command)
     2  This program runs only once. On its first run, it replaces itself with the newest CLI version and re-executes this new version with the same environment, passing the same arguments, and piping stdin, stderr, and stdout.
     3  
     4  ## How it works
     5  1. The user installs this program (probably by using a .pkg or .msi installer)
     6  2. The user runs the program
     7  3. Program auto-updates to the newest stable CLI version
     8  4. Program re-executes: forks a new process with its new binary, using the very same environment variable, passing the same arguments, and piping stdin, stderr, stdout
     9  
    10  Environment variable `WEDEPLOY_INSTALLER_SKIP_REEXEC` can be used to skip the re-execution step.
    11  
    12  ## Why
    13  We use [equinox.io](https://equinox.io) to distribute the Liferay Cloud Platform CLI tool (for a few reasons, like its binary deltas). It packages the generated CLI binaries in different formats, such as .rpm, .deb, .msi (Microsoft Installer), and .pkg (macOS installer).
    14  
    15  The equinox.io service generates a page with all these different download options for each version we release. However, the .msi and .pkg packages there aren't code signed.
    16  
    17  On Unix-like systems, this might be mitigated by recommending our curl based installation process, despite there [are](https://news.ycombinator.com/item?id=12766049) just [too](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/) many [reasons](https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install) why this is, overall, a bad idea.
    18  
    19  For Windows, we always recommended using the .msi installer given that Windows natively, unfortunately, doesn't come with curl, meaning if we don't code sign the package we end up with unwanted security warnings that might confuse and turn away users.
    20  
    21  ## Placeholder packages and code signing
    22  While we can't code sign the Equinox distributed packages until they add support for this feature, we are going to take an alternative approach to the ideal (but expensive) case of signing all packages.
    23  
    24  Create and serve placeholder packages for macOS and Windows (as described above) so that users can install them on their operating systems without getting security warnings (or even end up completely blocked from installing the software).
    25  
    26  The package can try to execute the binary itself, as part of an install script. For this, set the WEDEPLOY_INSTALLER_SKIP_REEXEC environment variable to skip running "lcp" afterward.
    27  
    28  Timestamping the signature with a remote server is recommended.
    29  
    30  ### Windows package
    31  Read the references below to see how it works. There are a few Certificate Authorities selling code sign certificates for Windows, such as [DigiCert](https://www.digicert.com/).
    32  
    33  If you can't find the code signing tool, try
    34  `C:\Program Files (x86)\Windows kits\10\App Certification Kit\signtool.exe`.
    35  
    36  Currently we use DigiCert, so following the steps described in the document [Signing Code with Microsoft Signcode or SignTool | DigiCert](https://www.digicert.com/code-signing/signcode-signtool-command-line.htm) should be the easier way to code sign a package.
    37  
    38  You can verify that an application is signed by right click → File Properties → Digital Signatures. A file can be signed multiple times. Make sure to check the details of the signature to confirm everything is correct.
    39  
    40  * [Cryptography Tools](https://docs.microsoft.com/en-us/windows/desktop/seccrypto/cryptography-tools)
    41  * [SignTool](https://docs.microsoft.com/en-us/windows/desktop/seccrypto/signtool)
    42  
    43  ### macOS package
    44  GateKeeper requires an Apple Developer code signing certificate to avoid a security warning when running a .pkg installer. The only CA recognized by macOS is Apple's own CA.
    45  
    46  Tip: verify macOS .pkg installers with the native `installer` program or with [Suspicious Package](https://www.mothersruin.com/software/SuspiciousPackage/).
    47  
    48  * Apple's [Code Signing Guide](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html)
    49  * [How to sign your Mac OS X App for Gatekeeper](https://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/)
    50  * [panic: About GateKeeper](https://panic.com/blog/about-gatekeeper/)
    51  * [Mac developers: Gatekeeper is a concern, but still gives power users control](https://arstechnica.com/gadgets/2012/02/developers-gatekeeper-a-concern-but-still-gives-power-users-control/)
    52  
    53  ## Related wedeploy/cli issues
    54  * [Create a signed MSI package for Windows](https://github.com/wedeploy/cli/issues/325)
    55  * [Antivirus found security risk in CLI installer](https://github.com/wedeploy/cli/issues/324)