From 2857c01c69459dc8e6c92192afd36420249b7b16 Mon Sep 17 00:00:00 2001 From: Koki Sato Date: Sat, 23 May 2026 10:39:12 +0900 Subject: [PATCH 1/2] fix(nsis): embed signed copies of stock plugins, not unsigned system DLLs (#15422) * fix(nsis): embed signed copies of stock plugins, not unsigned system DLLs * refactor(nsis): hoist !addplugindir above !include to stay ahead of plugin commands --- .changes/nsis-stock-plugins-embed-signed.md | 5 +++++ .../src/bundle/windows/nsis/installer.nsi | 6 ++++++ crates/tauri-bundler/src/bundle/windows/nsis/mod.rs | 11 +++++++---- 3 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 .changes/nsis-stock-plugins-embed-signed.md diff --git a/.changes/nsis-stock-plugins-embed-signed.md b/.changes/nsis-stock-plugins-embed-signed.md new file mode 100644 index 000000000000..dbce16faaef1 --- /dev/null +++ b/.changes/nsis-stock-plugins-embed-signed.md @@ -0,0 +1,5 @@ +--- +"tauri-bundler": "patch:bug" +--- + +Fix NSIS stock plugins (`NSISdl.dll`, `StartMenu.dll`, `System.dll`, `nsDialogs.dll`) being embedded in the final installer as unsigned despite the signing step succeeding. The signed local copies under `/Plugins/x86-unicode/` were not on makensis' plugin search path, so makensis fell back to the unsigned DLLs from the NSIS toolset directory. The fix adds `!addplugindir` for the signed plugin directory before any plugin command is parsed in the script. diff --git a/crates/tauri-bundler/src/bundle/windows/nsis/installer.nsi b/crates/tauri-bundler/src/bundle/windows/nsis/installer.nsi index a48a46149f6d..d372e3c39177 100644 --- a/crates/tauri-bundler/src/bundle/windows/nsis/installer.nsi +++ b/crates/tauri-bundler/src/bundle/windows/nsis/installer.nsi @@ -13,6 +13,12 @@ ManifestDPIAwareness PerMonitorV2 SetCompressor /SOLID "{{compression}}" !endif +; Keep above !include to stay ahead of any plugin command +; see https://github.com/tauri-apps/tauri/pull/15422#discussion_r3289239624 +{{#if signed_plugins_path}} +!addplugindir "{{signed_plugins_path}}" +{{/if}} + !include MUI2.nsh !include FileFunc.nsh !include x64.nsh diff --git a/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs b/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs index 1005b882f679..5ee7db5bcaa3 100644 --- a/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs +++ b/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs @@ -282,6 +282,13 @@ fn build_nsis_app_installer( to_json(&additional_plugins_path), ); + if let Some(plugin_copy_path) = &maybe_plugin_copy_path { + data.insert( + "signed_plugins_path", + to_json(plugin_copy_path.join("x86-unicode")), + ); + } + data.insert("arch", to_json(arch)); data.insert("bundle_id", to_json(bundle_id)); data.insert("manufacturer", to_json(manufacturer)); @@ -683,10 +690,6 @@ fn build_nsis_app_installer( #[cfg(not(target_os = "windows"))] let mut nsis_cmd = Command::new("makensis"); - if let Some(plugins_path) = &maybe_plugin_copy_path { - nsis_cmd.env("NSISPLUGINS", plugins_path); - } - nsis_cmd .args(["-INPUTCHARSET", "UTF8", "-OUTPUTCHARSET", "UTF8"]) .arg(match settings.log_level() { From 472f6d01f4b4032c282824a3f7e21a358a71b80c Mon Sep 17 00:00:00 2001 From: Tony <68118705+Legend-Master@users.noreply.github.com> Date: Sat, 23 May 2026 10:08:40 +0800 Subject: [PATCH 2/2] fix: check makensis exit code (#15429) * fix: check makensis exit code * Merge branch 'dev' of https://github.com/tauri-apps/tauri into check-makensis-exit-code --- crates/tauri-bundler/src/bundle/windows/nsis/mod.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs b/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs index 5ee7db5bcaa3..67563de153a9 100644 --- a/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs +++ b/crates/tauri-bundler/src/bundle/windows/nsis/mod.rs @@ -13,7 +13,7 @@ use crate::{ }, }, }, - error::ErrorExt, + error::{bail, ErrorExt}, utils::{ http_utils::{download_and_verify, verify_file_hash, HashAlgorithm}, CommandExt, @@ -657,7 +657,7 @@ fn build_nsis_app_installer( ); let nsis_output_path = output_path.join(out_file); - let nsis_installer_path = settings.project_out_directory().to_path_buf().join(format!( + let nsis_installer_path = settings.project_out_directory().join(format!( "bundle/{}/{}.exe", if updater { NSIS_UPDATER_OUTPUT_FOLDER_NAME @@ -690,7 +690,7 @@ fn build_nsis_app_installer( #[cfg(not(target_os = "windows"))] let mut nsis_cmd = Command::new("makensis"); - nsis_cmd + let status = nsis_cmd .args(["-INPUTCHARSET", "UTF8", "-OUTPUTCHARSET", "UTF8"]) .arg(match settings.log_level() { log::Level::Error => "-V1", @@ -707,6 +707,9 @@ fn build_nsis_app_installer( command: "makensis.exe".to_string(), error, })?; + if !status.success() { + bail!("Failed to bundle app with makensis"); + } fs::rename(nsis_output_path, &nsis_installer_path)?;