Finish: Tweaks and fixes after testing.

Projects/Src/Compiler.Messages.pas

@@ -218,7 +218,7 @@ const
   { Flags }
   SCompilerParamUnknownFlag2 = 'Parameter "%s" includes an unknown flag';
   SCompilerParamErrorBadCombo2 = 'Parameter "%s" cannot have both the "%s" and "%s" flags';
-  SCompilerParamErrorBadCombo2SameSource = 'Parameter "%s" cannot have both the "%s" and "%s" flags on the same source file';
+  SCompilerParamErrorBadCombo2SameSource = 'Parameter "%s" cannot have both the "%s" and "%s" flags on a single source file';
   SCompilerParamUnsupportedFlag = 'Parameter "%s" includes a flag that is not supported in this section';
   SCompilerParamFlagMissing = 'Flag "%s" must be used if flag "%s" is used';
   SCompilerParamFlagMissing2 = 'Flag "%s" must be used if parameter "%s" is used';
@@ -291,12 +291,9 @@ const
   SCompilerFilesWildcardNotMatched = 'No files found matching "%s"';
   SCompilerFilesDestNameCantBeSpecified = 'Parameter "DestName" cannot be specified if ' +
     'the "Source" parameter contains wildcards or flag "extractarchive" is used';
-  SCompilerFilesParamRequiresFlag = 'Parameter "%s" may only be used when ' +
-    'the "%s" flag is used';
-  SCompilerFilesParamFlagConflict = 'Parameter "%s" may not be used when ' +
-    'the "%s" flag is used';
-  SCompilerFilesParamFlagConflictSameSource = 'Parameter "%s" may not be used when ' +
-    'the "%s" flag is used on the same source file';
+  SCompilerFilesParamRequiresFlag = 'Parameter "%s" may only be used when the "%s" flag is used';
+  SCompilerFilesParamFlagConflict = 'Parameter "%s" may not be used when the "%s" flag is used';
+  SCompilerFilesParamFlagConflictSameSource = 'Parameter "%s" and the "%s" flag cannot both be used on a single source file';
   SCompilerFilesExcludeTooLong = 'Parameter "Excludes" contains a pattern that is too long';
   SCompilerFilesUnsafeFile = 'Unsafe file detected: %s.' + SNewLine2 +
     'See the "Unsafe Files" topic in the help file for more information';

Projects/Src/Compiler.SetupCompiler.pas

@@ -4997,10 +4997,15 @@ type
           NewFileLocationEntryExtraInfo^.Verification.Hash := NewFileEntry^.Verification.Hash;
           NewFileLocationEntryExtraInfo^.Verification.ISSigAllowedKeys := NewFileEntry^.Verification.ISSigAllowedKeys;
         end else begin
-          if not CompareMem(@NewFileLocationEntryExtraInfo^.Verification.Hash[0],
-             @NewFileEntry^.Verification.Hash[0], SizeOf(TSHA256Digest)) then
+          { Verification.Typ changes checked below }
+          if (NewFileLocationEntryExtraInfo^.Verification.Typ = fvHash) and
+             (NewFileEntry^.Verification.Typ = fvHash) and
+             not CompareMem(@NewFileLocationEntryExtraInfo^.Verification.Hash[0],
+               @NewFileEntry^.Verification.Hash[0], SizeOf(TSHA256Digest)) then
             AbortCompileFmt(SCompilerFilesValueConflict, ['Hash']);
-          if NewFileLocationEntryExtraInfo^.Verification.ISSigAllowedKeys <> NewFileEntry^.Verification.ISSigAllowedKeys then
+          if (NewFileLocationEntryExtraInfo^.Verification.Typ = fvISSig) and
+             (NewFileEntry^.Verification.Typ = fvISSig) and
+             (NewFileLocationEntryExtraInfo^.Verification.ISSigAllowedKeys <> NewFileEntry^.Verification.ISSigAllowedKeys) then
             AbortCompileFmt(SCompilerFilesValueConflict, ['ISSigAllowedKeys']);
         end;
         if Touch then

Projects/Src/Setup.Install.pas

@@ -2033,7 +2033,7 @@ var
         InternalError('Unexpected custom DestName');
       const DestDir = ExpandConst(CurFile^.DestName);
 
-      var ISSigVerifySourceF: TFile := nil;
+      var VerifySourceF: TFile := nil;
       try
         var FindData: TWin32FindData;
         var H: TArchiveFindHandle := INVALID_HANDLE_VALUE;
@@ -2041,21 +2041,21 @@ var
         repeat
           try
             if CurFile^.Verification.Typ <> fvNone then begin
+              if VerifySourceF = nil then
+                VerifySourceF := TFileRedir.Create(DisableFsRedir, ArchiveFilename, fdOpenExisting, faRead, fsRead);
               var ExpectedFileHash: TSHA256Digest;
               if CurFile^.Verification.Typ = fvHash then
                 ExpectedFileHash := CurFile^.Verification.Hash
               else begin
-                if ISSigVerifySourceF = nil then
-                  ISSigVerifySourceF := TFileRedir.Create(DisableFsRedir, ArchiveFilename, fdOpenExisting, faRead, fsRead);
-                DoISSigVerify(ISSigVerifySourceF, nil, ArchiveFilename, CurFile^.Verification.ISSigAllowedKeys,
+                DoISSigVerify(VerifySourceF, nil, ArchiveFilename, CurFile^.Verification.ISSigAllowedKeys,
                 ExpectedFileHash);
               end;
               { Can't get the SHA-256 while extracting so need to get and check it now }
-              const ActualFileHash = GetSHA256OfFile(ISSigVerifySourceF);
+              const ActualFileHash = GetSHA256OfFile(VerifySourceF);
               if not SHA256DigestsEqual(ActualFileHash, ExpectedFileHash) then
                 VerificationError(veFileHashIncorrect);
               Log(VerificationSuccessfulLogMessage);
-              { Keeping ISSigVerifySourceF open until extraction has completed }
+              { Keep VerifySourceF open until extraction has completed to prevent TOCTOU problem }
             end;
 
             H := ArchiveFindFirstFileRedir(DisableFsRedir, ArchiveFilename, DestDir,
@@ -2108,7 +2108,7 @@ var
           Log('Successfully extracted the archive.');
         end;
       finally
-        ISSigVerifySourceF.Free;
+        VerifySourceF.Free;
       end;
     end;