Gpg4win installer

TODO, under construction

Gpg4win v2.3.0 and earlier uses an installer build on top of NSIS, cross build on Debian GNU/Linux. There were once instructions to manually build an MSI installer from the NSIS package, which are now outdated (see below).

Should we use something else? What is a better solution?

Criteria

(Todo: weight and rank)

  1. can be automated, because manual building will induce errors, is less reproducible and costs significant efforts.
  2. can be cross build, because main GnuPG build environment and developer community is on GNU/Linux.
  3. consists of Free Software, so it can be independently audited
  4. behaves like a common application on the platform, so users can use their tools and knowledge
    • if a software distribution system or a system management solution is used, we shall play nice with it.
    • deinstallation should work via system controls
  5. looks attractive, to promote acceptance.
  6. can be internationalized, because GnuPG and apps target a lot of international users. German is a core language.
  7. can do everything that is needed, e.g. if services are to registered for autostart.
  8. is easy to understand and change, because this reduces efforts and problems.
  9. handling some level of dependencies and version, because we want Ggp4win to be updated separately from applications that use it, e.g. Claws Mail.
    • we also want the crypto engine to be updateable independently from "the rest" of Gpg4win. Rationale: less risk of breaking by separate testing and faster (security) updates.
  10. install/updates/deinstall should be possible
  11. update notifications, so that users will know when they run an outdated version and should update.
  12. verification of the Installer, so that user can be sure where it comes from.
  13. allow (volunteering) payments?
  14. allow to be found, conceived via "popular" stores? Windows App Store? Steam?
  15. maybe inspected before execution? Could be security feature or making it possible to get it installed in more restricted environments?

Discussion

WiX 3 tutorial makes a case for Windows Installer/MSI as being declarative and thus more robust. But recommends WiX only for more complicated cases: The relatively steep learning curve [..] and the unavoidable exposure to the internal details and, sometimes, intricacies of the underlying Windows Installer technology suggest that [..] those who don't really need the [..] performance [..] might be better served by a simpler, GUI-based setup authoring tool [..]

Stefan Kanthak has published arguments against executable installers. As the Page tries to start a drive by download as a proof of concept for DLL Carpeting we do not link the page directly from this wiki. It can be found on: http://home.arcor.de/skanthak/!execute.html

This page does not discuss given reasons for using a "bootstrapper" like burn from WiXtools.

http://installsite.org/ (contaminated with advertisements) but links to old and new stuff The Future of Windows Installer (MSI) in the Light of Windows 10 and the Universal Windows Platform:

AppX is now our deployment model. MSI isn’t going to go away, but we want you to move to AppX. (May 3rd, 2015)

As long as we do not have a unified packaging system for free software on Windows, it does not make sense to switch to a new installer framework. MSI is nice but can only unleash its power if we would make use of almost all of MS SDK features which in turn requires the use and distribution of non-free software. We want to build on free software as far as possible and only resort to System services if not avoidable. After all there should be only one packaging system for an OS (e.g. DPKG on Debian, RPM for Fedora, MSI for Windows). Any mix of packaging systems is always problematic and can only be a workaround (e.g. alien on Debian). Due to the strategic goal of helping Windows user to migrate to free software I can envison a second packing system on Windows for free software. However, all efforts in this direction have not brought any success and developers will anyway soon realize that it would be easier to simply switch to a free software OS and maybe run Windows in a VM. -- werner 2015-12-02 13:12:58

Examples for "executable" installers

Microsoft and other known vendors still use executable installers. (That may or may not include Windows Installer (aka msi) files.) Probably for a reason. (Which reasons more precisely?)

Thus using an executable installer seems to be state of the art (2015-12). Open questions:

  1. How many .exe installers contain MSI files?
  2. What are the most used technologies to create these installers?

Potential reasons to use an executable installer instead of directly using and MSI file:

MSI aka "Windows Installer"

This is the way recommended by Microsoft for many years.

https://en.wikipedia.org/wiki/Windows_Installer

Specific to Gpg4win: an old, probably outdated instructions to manually build an msi Installer for Gpg4win: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob_plain;f=src/README-msi.txt;hb=HEAD

A number of installers come as MSI files or have MSI files wrapped by a "bootstrapper". Microsoft uses wixtoolset (see below) to create installers for a number of their products.

Probably all system management or software distribution systems on MS Windows will play nicely with MSI files.

https://en.wikipedia.org/wiki/COM_Structured_Storage The format inside is unspecified and implemented in msi.dll.

2013 wix discussion about vs nsis

http://stackoverflow.com/questions/1951289/windows-installer-msi-format :
If you really want to know more about the details of the internals of the MSI file format then take a read through of these two blog articles by Rob Mensching (the author of WiX)

It is possible to launch executables from MSI during installation:

MSI files can contain other MSI files and other files like CAB files.

http://www.jsware.net/jsware/msicode.php5 has tools in VBScript and some comments about structures and tools.

Free Software that potentially could read/write COM Structured Storage files:

WiX Toolset

http://wixtoolset.org/ The WiX toolset builds Windows installation packages from XML source code.

Advantage: can be run within automation.

https://iswix.codeplex.com/ Industrial Strength Windows Installer XML ( IsWiX ) makes authoring Windows Installer XML (WiX) Windows Installers (.MSI) easier.

It uses msi.dll for the internal, undocumented database implementation inside "COM structure storage", thus it cannot run without a windows implementation like Wine.

http://wixtoolset.org/issues/4381/, 2014-04: """The managed code should work on Mono but WiX contains native code and relies on an implementation of msi.dll. You end up needing Wine anyway. """

msi.dll

Source code (2015-12-02) not found on

CAB

Is an archive format, can be read and written with Free Software tools. Can be used within MSI files or other installations methods, e.g. can opened directly?

INF

Seems to be for drivers, but may also work as an installer methods. See Kanthaks writtings.

cr(azy)eative ideas


Discussion about the best installing technology targeting MS Windows. Started by Bernhard.

Gpg4win/Installer (last edited 2016-06-16 17:04:30 by AndreHeinecke)