Hi, I am new to openziti. I am trying to find out how to build an installer, or alternatively, create an exe file for Windows that I can give to non technical people to put on their computers. (I am okay with building from source code, but not everyone that I work with are software developers.)
Maybe I am not understanding the question… would not the Ziti Desktop Edge for Windows provide this? Releases · openziti/desktop-edge-win · GitHub
My colleagues and I have forked the branch, as we are adding our own features. I would like to be able to create the exe and sha files from our fork of openziti. I haven’t been able to find working instructions on how to create the exe and sha files.
Nice! Welcome to the community @thelouiselawrence .
I checked this file, it looks like it is still accurate desktop-edge-win/BUILDING.md at release-next · openziti/desktop-edge-win · GitHub
Basically you need to:
- build the service
- Build the ui / upgrade agent (you might want to eliminate this, or change it for your own environment)
- Assemble the installer
Take a look at the .bat files inside the service folder and the .PS1 file inside the installer folder.
We use a product called advanced installer to build the install bundle. You’ll also have to discover how we are signing our install files, which is… Maybe something to learn. It might be the hardest thing to work through if you’re not familiar.
Feel free to ask me questions about that process once you check that stuff out.
Welcome to OpenZiti!
I got that all working. Thank you.
I am now trying to figure out how to sign the install bundle. I am not familiar with that process.
Signing the bundle is somewhat complex. You will need two different certificates or you will need to remove the code that uses these signatures. That’s probably going to be somewhat complicated tbh. You might want to put up a PR that makes the signature verification optional. You can add an issue to the github project but it’s not a priority at the moment - we’ll get to it when we can…
To sign the bundle you will need two pkcs12 bundles that contain the signing cert/key to sign the file.
Valid 3rd Party pkcs12
We use one from a valid third part, and we sign it ourselves with our own signing cert. The first signing cert is located/declared inside the AdvancedInstaller project L131 currently. You can see that AdvancedInstaller is expecting a file named
WinSign.p12 to be located in the same folder as the build.ps1 file. If I list the contents of this folder from MY dev machine:
c:\git\github\openziti\desktop-edge-win\Installer>ll *.p12 -rwxrwx---+ 1 cd cd 3047 Oct 12 2020 WinSign.2020.p12 -rwxrwx---+ 1 cd cd 3129 Jun 3 2021 WinSign.p12 -rwxrwx---+ 1 cd cd 4269 Jun 3 2021 openziti.p12
You can see I have two .p12 files. That WinSign one - that’s the ‘legit third party’ signing bundle. Your does not need to be from a legit third party- but you need that file - or you need to remove the signing process from the install bundle. That “solves” the problem too of course
OpenZiti signing bundle
The other pkcs12 bundle in there is the “openziti.p12”. This is a second signing bundle we use that you can easily eliminate. That’s L77-78 in build.ps1. You can remove those two lines as they are almost certainly irrelevant to you.
The next thing you will discover is that your app will start uninstalling itself… That’s because there’s automatic updating built into the project. You’ll certainly want to make sure you replace/update the code that performs the automatic updating. The c# project in
ZitiUpdateService will check git for new releases and run the uninstall/install process keeping the client always up to date. That you’ll have to change too
We got the signing working. But we ran into another problem. The install works, but when we try stopping and starting the ziti-tunnel from the app, it says that the ziti-monitor isn’t running. But the task manager shows that the ziti-monitor is running. We have tried a few different configurations with files, folders, and services. Is there anything obvious that we have missed?
Is there any chance you’re changing the IPC name? The UI communicates to the monitor service via IPC to send a message that the monitor service should stop the data service. If the named pipe has changed that’s one thing that might prevent the UI from sending the monitor service the message. Also it’s possible that group policies or permissions are preventing it from reaching the monitor service.
The monitor service also has logs that might be helpful or relevant.