From 4f0e2342e6484df06420776d8bd8299a03198907 Mon Sep 17 00:00:00 2001
From: Andrey Lihatskiy <alihatskiy@productengine.com>
Date: Thu, 18 Sep 2025 17:30:21 +0300
Subject: [PATCH 1/2] Add makensis-action step to sign-pkg-windows

---
 sign-pkg-windows/action.yaml | 64 ++++++++++++++++++++++++++++++------
 1 file changed, 54 insertions(+), 10 deletions(-)

diff --git a/sign-pkg-windows/action.yaml b/sign-pkg-windows/action.yaml
index 9ab6e1a..725cc18 100644
--- a/sign-pkg-windows/action.yaml
+++ b/sign-pkg-windows/action.yaml
@@ -18,10 +18,48 @@ inputs:
   tenant_id:
     description: "Azure signer app tenantId"
     required: true
+  nsis_version:
+    description: "NSIS version to install if not already present"
+    default: '3.10'
+    required: true
 
 runs:
   using: composite
   steps:
+    - name: Setup NSIS
+      # Install NSIS if not already installed on the runner
+      # See https://nsis.sourceforge.io/Download
+      shell: pwsh
+      run: |
+        $ErrorActionPreference = 'Stop'
+        $version = '${{ inputs.nsis_version }}'
+        $existing = (Get-Command makensis.exe -ErrorAction SilentlyContinue)
+        if ($existing) {
+          Write-Host "Found existing makensis at $($existing.Source) - skipping download"
+          & $existing.Source -VERSION
+          return
+        }
+        $zipName = "nsis-$version.zip"
+        $url = "https://downloads.sourceforge.net/project/nsis/NSIS%203/$version/$zipName"
+        $zipPath = Join-Path $env:RUNNER_TEMP $zipName
+        Write-Host "Downloading NSIS $version from $url"
+        try {
+          $curlProcess = Start-Process -FilePath "curl.exe" -ArgumentList "-L", "-o", "`"$zipPath`"", "`"$url`"" -NoNewWindow -Wait -PassThru
+          if ($curlProcess.ExitCode -ne 0) { throw "curl exited with code $($curlProcess.ExitCode)" }
+        } catch {
+          Write-Error "Download failed with curl: $($_.Exception.Message)"
+          throw
+        }
+        $dest = Join-Path $env:RUNNER_TEMP "nsis-unpacked"
+        if (Test-Path $dest) { Remove-Item -Recurse -Force $dest }
+        Expand-Archive -Path $zipPath -DestinationPath $dest
+        $makensis = Get-ChildItem -Path $dest -Recurse -Filter makensis.exe | Select-Object -First 1
+        if (-not $makensis) { throw 'makensis.exe not found in extracted archive' }
+        $binDir = Split-Path $makensis.FullName
+        Add-Content -Path $env:GITHUB_PATH -Value $binDir
+        Write-Host "NSIS added to PATH: $binDir"
+        & $makensis.FullName -VERSION
+
     - name: Fetch Windows app
       uses: actions/download-artifact@v4
       with:
@@ -56,7 +94,6 @@ runs:
       id: nsis
       shell: python
       run: |
-        # Logic derived from viewer_manifest.py - still needed though?
         # Use Python because bash refuses to expand "${programfiles(x86)}" --
         # even though that's really the name of the Windows environment
         # variable.
@@ -64,15 +101,22 @@ runs:
         import shlex
         from shutil import which
         import subprocess
-        nsis_path = which(
-            "makensis",
-            path=os.pathsep.join(
-                os.path.join(program_files, subpath)
-                for program_files in
-                (os.getenv(var) for var in ('programfiles', 'programfiles(x86)'))
-                for subpath in ('NSIS', r'NSIS\Unicode')
-                if program_files))
-        assert nsis_path
+
+        # First try to find makensis in PATH (for installed NSIS)
+        nsis_path = which("makensis")
+
+        # If not found in PATH, try the old Program Files locations (fallback)
+        if not nsis_path:
+            nsis_path = which(
+                "makensis",
+                path=os.pathsep.join(
+                    os.path.join(program_files, subpath)
+                    for program_files in
+                    (os.getenv(var) for var in ('programfiles', 'programfiles(x86)'))
+                    for subpath in ('NSIS', r'NSIS\Unicode')
+                    if program_files))
+
+        assert nsis_path, "makensis not found in PATH or standard NSIS installation directories"
 
         # This .nsi file was prepared by viewer_manifest.py (by substituting
         # values into a template .nsi file) and bundled into the top level of

From 1640f3418dbcc56e4597f8eac02073baadb9005f Mon Sep 17 00:00:00 2001
From: Andrey Lihatskiy <118752495+marchcat@users.noreply.github.com>
Date: Thu, 18 Sep 2025 19:48:22 +0300
Subject: [PATCH 2/2] Potential fix for code injection - use env to set NSIS
 version

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 sign-pkg-windows/action.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sign-pkg-windows/action.yaml b/sign-pkg-windows/action.yaml
index 725cc18..93bb13e 100644
--- a/sign-pkg-windows/action.yaml
+++ b/sign-pkg-windows/action.yaml
@@ -30,9 +30,11 @@ runs:
       # Install NSIS if not already installed on the runner
       # See https://nsis.sourceforge.io/Download
       shell: pwsh
+      env:
+        NSIS_VERSION: ${{ inputs.nsis_version }}
       run: |
         $ErrorActionPreference = 'Stop'
-        $version = '${{ inputs.nsis_version }}'
+        $version = $env:NSIS_VERSION
         $existing = (Get-Command makensis.exe -ErrorAction SilentlyContinue)
         if ($existing) {
           Write-Host "Found existing makensis at $($existing.Source) - skipping download"