Skip to content

fix: windows code signing#8084

Merged
filfreire merged 33 commits intodevelopfrom
fix/ins-4561
Oct 16, 2024
Merged

fix: windows code signing#8084
filfreire merged 33 commits intodevelopfrom
fix/ins-4561

Conversation

@filfreire
Copy link
Copy Markdown
Contributor

@filfreire filfreire commented Oct 15, 2024
edited
Loading

todo

windows codesigning process after merging this PR

The approach is:

  1. run package:windows:unpacked to bake windows-unpacked folder (which runs npm run build:app) with all common baked insomnia files
  2. codesign the .dll and .exe unpacked files (common to all installers) (using GitHub actions intermediate steps that use SSL.com's esigner-codesign
  3. run the package:windows:dist and point it to the same windows-unpacked folder (using electron-builder's --dir flag) for baking the temporary squirrel related files, signing with SSL.com's ci-images via customSign.js hook, bake the installer package, and sign that as well from hook.

debugging

found that Update.exe and Insomnia.exe (squirrel stub) are only available to codesign via hook

image

Solution

We use the container image for EV codesigner from a custom-hook during packaging.

Afterwards, both the Stub, Updater.exe and the installer are all code-signed in a single go:
image

(using upstream branch instead of fork to test, closed #8069)

@filfreire filfreire mentioned this pull request Oct 15, 2024
Closed
@filfreire filfreire requested a review from a team October 15, 2024 16:25
gatzjames
gatzjames previously approved these changes Oct 15, 2024
View reviewed changes
@filfreire filfreire requested review from a team and gatzjames October 16, 2024 10:39
jackkav
jackkav previously approved these changes Oct 16, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@jackkav jackkav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe just add npm run build:app && for consistency, can do it in future if you need

Comment thread packages/insomnia/customSign.js
Comment thread packages/insomnia/electron-builder.config.js
@filfreire
Copy link
Copy Markdown
Contributor Author

filfreire commented Oct 16, 2024

@jackkav about:

maybe just add npm run build:app && for consistency, can do it in future if you need

We should not add it in this case. The approach is:

  • First we run package:windows:unpacked to bake windows-unpacked (which runs npm run build:app)
  • Then we codesign the .dll and .exe unpacked files (common to all installers)
  • Then we run the package:windows:dist and point it to the same windows-unpacked folder for baking the temporary squirrel related files, signing via customSign hook, bake the installer package, and sign that as well.

The unpacked files need to get codesigned in an intermediate step, and then we build the Squirrel package from the codesigned windows-unpacked folder for which we have already previously run build:app.

@filfreire filfreire requested review from a team and jackkav October 16, 2024 12:33
@filfreire filfreire enabled auto-merge (squash) October 16, 2024 12:41
@filfreire filfreire merged commit 8ddff9d into develop Oct 16, 2024
@filfreire filfreire deleted the fix/ins-4561 branch October 16, 2024 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryan-willis ryan-willis ryan-willis approved these changes

@gatzjames gatzjames Awaiting requested review from gatzjames

@jackkav jackkav Awaiting requested review from jackkav

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@filfreire @jackkav @gatzjames @ryan-willis