Read Encryption Key from Internet instead of password box

36 views
Skip to first unread message

David Daigle

unread,
Jun 21, 2021, 11:21:48 PM6/21/21
to innosetup
I want the setup to read the password from a GET request instead of directly from the user. Is there any way to bypass the password box and do this?

Gavin Lambert

unread,
Jun 22, 2021, 12:42:53 AM6/22/21
to inno...@googlegroups.com
There's not really a lot of point in that, since it will still be easy
for someone to intercept the password if they wanted to.

Besides, unless they're providing some kind of unique information in the
request (which could just as easily be the password itself) anyone else
could make the same request (or get a copy of the installer to do so).

It's also very unfriendly to people who need to install software on
not-internet-connected machines, or in the future once your web service
has been discontinued. (This may or may not be an issue, depending on
what kind of software you're making.)

What are you actually trying to accomplish? You probably have an XY
problem.

David Daigle

unread,
Jun 22, 2021, 2:36:56 AM6/22/21
to innosetup
I need to get an alpha release to some people and I'd prefer if they didn't have a working installer after the alpha period is over. It's just another layer of obfuscation and security. My plan is to have the installer request the password via the web, and then I'll disable the web service after everyone has deployed it. Assuming no one wiresharked during the install, which I don't expect my non technical customers to do, even if they keep the installer it will help prevent it from staying in the wild.

Gavin Lambert

unread,
Jun 22, 2021, 3:18:37 AM6/22/21
to inno...@googlegroups.com
On 22/06/2021 6:36 pm, David Daigle wrote:
> I need to get an alpha release to some people and I'd prefer if they
> didn't have a working installer after the alpha period is over. It's
> just another layer of obfuscation and security. My plan is to have the
> installer request the password via the web, and then I'll disable the
> web service after everyone has deployed it. Assuming no one wiresharked
> during the install, which I don't expect my non technical customers to
> do, even if they keep the installer it will help prevent it from staying
> in the wild.

Then it sounds like you actually want a licensing system to protect the
application itself, rather than the installer.

Unless you want them to be able to use but not reinstall the app outside
of the alpha period, which seems a bit odd.

Trying to do licensing in the installer is rarely the correct choice.

Gavin Lambert

unread,
Jun 22, 2021, 3:31:08 AM6/22/21
to inno...@googlegroups.com
On 22/06/2021 3:21 pm, David Daigle wrote:
Still, if you want to do it anyway despite what I was saying, then it is
possible, within some constraints, as was explained in the other thread
you posted in.

1. Set Encryption=yes and Password=whatever

2. In InitializeWizard, perform your GET request and then set the
password via:

WizardForm.PasswordEdit.Text := ThePassword;

3. Don't try to hide the password page in the wizard. (You can edit the
[Messages] to show suitable descriptions.)

This way, if your request succeeds it will fill in the password (they
will be able to see the length but not the content) and they can just
click Next.

If your request fails then you can leave the field blank and if someone
happens to know the password they can still enter it manually; otherwise
they will not be able to continue.


This won't prevent someone using the app after you've removed the
password service, nor copying the installed files elsewhere on their own.

David Daigle

unread,
Jun 22, 2021, 3:50:56 AM6/22/21
to inno...@googlegroups.com
I agree. But my application is C# and Python. I'd say the unencrypted binaries are more vulnerable. That being said, those have a licensing scheme as well.

--
You received this message because you are subscribed to a topic in the Google Groups "innosetup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/innosetup/-WBE_BaT3v4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/9772b398-3fc3-e7f9-2f10-5e64b47e53c2%40mirality.co.nz.

David Daigle

unread,
Jun 22, 2021, 3:51:57 AM6/22/21
to inno...@googlegroups.com
Thank you! I'll give it a try. 

--
You received this message because you are subscribed to a topic in the Google Groups "innosetup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/innosetup/-WBE_BaT3v4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to innosetup+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages