fix: add signExts configuration option to not sign .node files by…

… default (#7685)
electron-userland · Jul 24, 2023 · 78448af · 78448af
1 parent bd1b311
commit 78448af
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 3 deletions.
diff --git a/.changeset/sharp-jobs-chew.md b/.changeset/sharp-jobs-chew.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: allow explicit configuration on what additional files to sign. Do not sign .node files by default
diff --git a/docs/configuration/win.md b/docs/configuration/win.md
@@ -31,7 +31,8 @@ The top-level [win](configuration.md#Configuration-win) key contains set of opti
 <li><code id="WindowsConfiguration-verifyUpdateCodeSignature">verifyUpdateCodeSignature</code> = <code>true</code> Boolean - Whether to verify the signature of an available update before installation. The <a href="#publisherName">publisher name</a> will be used for the signature verification.</li>
 <li><code id="WindowsConfiguration-requestedExecutionLevel">requestedExecutionLevel</code> = <code>asInvoker</code> “asInvoker” | “highestAvailable” | “requireAdministrator” | “undefined” - The <a href="https://msdn.microsoft.com/en-us/library/6ad1fshk.aspx#Anchor_9">security level</a> at which the application requests to be executed. Cannot be specified per target, allowed only in the <code>win</code>.</li>
 <li><code id="WindowsConfiguration-signAndEditExecutable">signAndEditExecutable</code> = <code>true</code> Boolean - Whether to sign and add metadata to executable. Advanced option.</li>
-<li><code id="WindowsConfiguration-signDlls">signDlls</code> = <code>false</code> Boolean - Whether to sign DLL files. Advanced option. See: <a href="https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384">https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384</a></li>
+<li tag.description=""><code id="WindowsConfiguration-signDlls">signDlls</code> = <code>false</code> Boolean - Whether to sign DLL files. Advanced option. See: <a href="https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384">https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384</a> Deprecated:</li>
+<li><code id="WindowsConfiguration-signExts">signExts</code> Array&lt;String&gt; | “undefined” - Explicit file extensions to also sign. Advanced option. See: <a href="https://github.com/electron-userland/electron-builder/issues/7329">https://github.com/electron-userland/electron-builder/issues/7329</a></li>
 </ul>
 
 <!-- end of generated block -->

diff --git a/netlify-docs.sh b/netlify-docs.sh
@@ -2,6 +2,7 @@
 pip3 install pipenv
 pipenv install
 echo "Installing pnpm"
-npx pnpm install --store=./node_modules/.pnpm-store
+npm i -g pnpm@latest-7
+pnpm install --store=./node_modules/.pnpm-store
 echo "Building site docs"
 mkdocs build
diff --git a/packages/app-builder-lib/scheme.json b/packages/app-builder-lib/scheme.json
@@ -6340,6 +6340,21 @@
           "description": "Whether to sign DLL files. Advanced option.",
           "type": "boolean"
         },
+        "signExts": {
+          "anyOf": [
+            {
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "default": null,
+          "description": "Explicit file extensions to also sign. Advanced option."
+        },
         "signingHashAlgorithms": {
           "anyOf": [
             {

diff --git a/packages/app-builder-lib/src/options/winOptions.ts b/packages/app-builder-lib/src/options/winOptions.ts
@@ -96,8 +96,16 @@ export interface WindowsConfiguration extends PlatformSpecificBuildOptions {
    * Whether to sign DLL files. Advanced option.
    * @see https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384
    * @default false
+   * @deprecated Use `signExts` instead for more explicit control
    */
   readonly signDlls?: boolean
+
+  /**
+   * Explicit file extensions to also sign. Advanced option.
+   * @see https://github.com/electron-userland/electron-builder/issues/7329
+   * @default null
+   */
+  readonly signExts?: string[] | null
 }
 
 export type RequestedExecutionLevel = "asInvoker" | "highestAvailable" | "requireAdministrator"
diff --git a/packages/app-builder-lib/src/winPackager.ts b/packages/app-builder-lib/src/winPackager.ts
@@ -355,7 +355,8 @@ export class WinPackager extends PlatformPackager<WindowsConfiguration> {
 
   private shouldSignFile(file: string): boolean {
     const shouldSignDll = this.platformSpecificBuildOptions.signDlls === true && file.endsWith(".dll")
-    return shouldSignDll || file.endsWith(".exe") || file.endsWith(".node")
+    const shouldSignExplicit = !!this.platformSpecificBuildOptions.signExts?.some(ext => file.endsWith(ext))
+    return shouldSignDll || shouldSignExplicit || file.endsWith(".exe")
   }
 
   protected createTransformerForExtraFiles(packContext: AfterPackContext): FileTransformer | null {