Application Security Testing: An Integral Part of DevOps
In this day and age of web applications, you might be forgiven for thinking that we don't require software installation applications any longer. However, the very opposite is true; a lot of web applications are still shipped out to organisations to run on their own internal web servers. There's actually not a large amount of web applications that are 100% publicly accessible.
Consider also that a lot of web-based applications increasingly depend on Windows-based service applications running on the same machines as the web applications in question, providing access to various back-end services that are simply not available to the front-end, web-based code. Because of this, and a number of questions asked in the Linked.NET Virtual Users group (Lidnug) that I help run, I've decided to do a quick rundown of the install makers that are currently available to developers working on the .NET platform today.
As with other similar articles, I'll only be looking at free-to-use offerings. I will include some that are commercial, but only because they have a genuinely fully free mode. I won't include any that only do "30 days free" or that are crippled but useable in a limited fashion, and where a commercial product is mentioned, it should NOT be seen as an endorsement of that product.
So, What Exactly Is an Install Maker?
We've all seen them at some stage or another. Those applications (typically called 'setup.exe') that, when run, give you that obligatory small dialog box with the 'next' and 'previous' buttons in the bottom-right corner, which asks you where on your hard drive you want to install the application, and any other questions that may be required, such as license key entry. Providing an installer for your software is something that's very often overlooked by many developers but which can actually add a very professional final touch to your application before it's unleashed onto the general public.
Understandably, in this day and age of web applications, it's becoming somewhat less common to see installers, because a large chunk of the software we interact with these days we consume via our web browser of choice. That's not to say that there's no place for installers any longer, however.
In the enterprise and desktop markets, there is still an ongoing need for custom-written applications in WPF, and as I previously mentioned, some web apps are shipped out on a DVD for an end user to install on their own web servers. Being able to produce a great looking, simple to use, installation experience will keep customers coming back to you for other software, and it'll win you many kudos points in the customer support and experience stakes.
What Makes a Good Install Maker?
Creating software installers is hard, very hard. In fact, it's probably orders of magnitude more difficult that writing standard application software. Why? Well, you need to make sure that you can set up and get your software running on ANY configuration of Windows and hardware on the planet.
Think about this for a moment.... that's billions and billions of Windows-based machines, with staggeringly different amounts of memory, hard drive space, CPU speed, and installed software, all with subtle, slight differences in Windows configuration, and you have to be able to run on ALL of them! A good install maker will guide you through common operations, such as telling the system which files your application consists of, or what prerequisites it needs to ensure are installed.
It will allow you to stamp your mark and/or company logo on it, customise the dialogs to ensure that all information needed by your application is collected, and that standard things such as start menu entries and shortcuts are easy to create. All of this, AND it needs to be easy to use by you as a developer, and even where possible integrate with your Visual Studio or other development tools' workflow.
NSIS (Nullsoft installer)
NSIS originally came about quite some time ago when Nullsoft (the original makers of WinAmp) needed an installer to make it easy to install WinAmp plug-ins. Originally called 'Pimp' (plugin installer maker package), the developers quickly realised that there was a gap for a decent free installer maker for the Windows platform. So, NSIS was born.
NSIS, for its size usage, is a surprisingly powerful toolkit, but that power comes with a bit of a price. First and foremost, the entire thing is script driven. This means that, to make any use of it, you need to learn a new scripting language that's specific to the toolkit. It wouldn't be so bad if the scripting followed similar languages or even used an already established language such as Python, but it doesn't. It uses a language specifically invented for the toolkit, and which in some ways resembles a semi-high-level, assembler-like syntax with sections and pseudo mnemonics for simplified operations. There are GUI editor add-ons available, such as the NSIS Editor for Eclipse.
This editor, although officially supported by the creators, requires that you use the Eclipse IDE to make use of it. There also are two fairly good standalone editors, "NIS Edit" and "Venis IX," both of which attempt to get you away from much of the scripting by giving you a visual/icon-driven tool set that writes portions of the code for you.
The documentation for NSIS is also top dollar. Out of all the installers I looked at for this post, NSIS by far has the most comprehensive, with more examples and tutorials than you can shake a stick at. There are examples and ready-to-use code in abundance on the NSIS Wiki. The setup archives produced by the toolkit use industry standard zip format files, so if you have a broken installer, it's still possible to extract the contents using programs such as 7-Zip and install things by hand. NSIS is open source freeware and can be used for commercial projects without restriction.
you can find out more at: http://nsis.sourceforge.net/
Like NSIS, INNO has been around for quite some time. It is now in its fifth version and still being actively maintained. Also like NSIS, INNO is script driven, but does not use a custom scripting language. The scripts used for INNO are more like old-fashioned Windows INI files (for those who remember them :-) ) and are more like a series of step-by-step instructions that the INNO tools then use to build the installer setup file.
The community for INNO is not as big as that for NSIS, but that doesn't mean it's any less passionate. INNO is written in Delphi (Object Pascal) and exposes a built-in Pascal Scripting language to customise and add extra features into your installer scripts.
There are quite a few GUI-based applications to make the authoring process easy; the best of these seems to be "Inno Script Studio." There's decent documentation available on the Inno Setup site, and links to third-party utilities to help make things easier. A couple of features that INNO has and are not seen in any of the others is the ability to create setup programs for Itanium-based Windows platforms, and the ability to digitally sign the final installer with a professional digital certificate.
You can find out more at: http://innosetup.com/
Install Forge appears to be a very new project in this space, and as of yet appears to have quite a small niche following. First impressions, however, look very promising.
IF is GUI-driven right from the start, so you can jump right in and start clicking buttons without having to learn any complex scripting languages as you do with the previous two. It also has a built-in serial number generator that will generate serial numbers that match the serial number checking and dialogs built into the system. It will ensure that the code to validate these serials is combined into your EXE automatically, allowing you to concentrate more on building the installer and less time worrying about things like application registration.
IF also has the freeware version of its commercial package "Visual Update" built into it, ready to use in your own projects. Visual Update allows you to build in smart online checking and automatic update facilities so that your application can automatically update itself to the latest version when a new one is released.
You can use Install Forge to create an installer for commercial apps, but you cannot use Visual Update on commercial projects without upgrading it to one of the paid-for licenses.
You can find out more at: http://installforge.net/
How can I describe WiX in a simple way? I can't. Put simply, WiX can do EVERYTHING, and it really wouldn't surprise me if it could also make you a cup of coffee while it was building your installer.
WiX (or the Windows Installer Toolkit, to give it its full name) was the first product that Microsoft ever released to open source. Yes, you heard me right. WiX came from inside MS, and was originally used to build the installers for Office 2007, SQL Server 2005, and Visual Studio 2005/2008, as well as many more. Still officially supported by MS today, WiX has an absolutely massive community behind it, with articles on working with it and an army of active users and experts on stack overflow. There have even been fully commercial books written on it and hundreds of blog posts around the world.
So what's the downside? It's quite steep to learn.
It uses XML files that, for the most part, you need to generate by hand, so you need to learn the quite convoluted XML file structure that's used to describe your installer, and then learn the various command line tools and the many switches they have to use things effectively. That said, There are GUI tools available to make this easier in the form of isWix, WixEdit, and WarSetup, but the biggest advantage by far is the integration with Visual Studio itself.
When you install the WiX toolkit, not only do you install the tools, but you also get project templates, msbuild bindings, and file type integration directly inside Visual Studio, including the most recent versions. NSIS and INNO both have Visual Studio integration options, but these are commercial and require a paid-for licence after 30 days; Install Forge is standalone, which means it does everything itself inside its own environment.
You can find out more at: http://wixtoolset.org/
AI is the only package in this list that's actually a fully commercial installer but that has a fully freeware, free-to-use version. I've used AI on previous projects, and going from someone who's never used it before to building an installer only took me a couple of hours. It's fully GUI driven, and has the ability to load and work with WiX, NSIS, and INNO project files, making conversion of existing installers using these three kits superbly easy.
As with Install Forge, everything is done within the one application, but its project files are in XML rather than a custom format; this means it's not difficult to write your own external tools. Because this is more of a commercial app than a community-driven app, the community behind it is unfortunately quite small, but it's easy enough to learn that you actually need very little support to get anywhere.
If you're looking to build installers rapidly, and have those installers be able to read your Visual Studio and Delphi projects to understand the dependencies required, this is most likely a good choice. Be aware, though, the freeware version has all of its icons and other functionality enabled, and you don't realise that a feature is not allowed until you attempt to use it and get told no. In some ways, this is slightly annoying, but if you read the features list in detail available at the product's web site, you'll see they do list what you can and cannot do.
You can find out more at: http://advancedinstaller.com/
And the Rest.....
There are many more products out there. Two of the more prominent of these are "Install Jammer" and "Sharp Setup." I left these off intentionally because, with "Install Jammer," I couldn't get enough info on it and "Sharp Setup" has undergone some rather big changes, which means there is no longer a free version to use since I last looked at it.
"Sharp Setup" is a particularly sad case because the older 1.6.1 and previous versions were completely free to use, and took a very different approach to everything else here for making installers. "Sharp Setup" worked by installing a number of components and libraries into your .NET environment, which you then simply integrated into a WPF and/or Webforms application. The addition of these components then gave your application all the facilities it needed to perform common installer tasks all without leaving VS. Unfortunately, v1.6.1 and previous versions are no longer available for download; the only option you now have is the up-to-date, paid-for version.
There are many others I could also mention. The four main ones I've presented here, however, appear to be the ones most used by developers in the .NET eco-sphere, with WiX emerging as somewhat of an industry leader and powerhouse of all things .NET
If you have any ideas for subjects you'd like to see covered in this column, please feel free to reach out to me on Twitter as @shawty_ds or come and find me on LinkedIn in the Lidnug .NET users group that I help run. I'd love to hear your ideas and suggestions for this column.