feat: Provide a custom verify function interface in NsisUpdater for n…

…ative verification of nsis signatures (#7337)
electron-userland · Jan 6, 2023 · 9c0c422 · 9c0c422
1 parent 7566c98
commit 9c0c422
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 2 deletions.
diff --git a/.changeset/slow-avocados-carry.md b/.changeset/slow-avocados-carry.md
@@ -0,0 +1,5 @@
+---
+"electron-updater": minor
+---
+
+feat: Provide a custom verify function interface to enable nsis signature verification alternatives instead of powershell
diff --git a/docs/configuration/win.md b/docs/configuration/win.md
@@ -58,6 +58,49 @@ exports.default = async function(configuration) {
 }
 ```
 
+#### How do use a custom verify function to enable nsis signature verification alternatives instead of powershell?
+
+Use the `verifyUpdateCodeSignature` interface:
+
+```js
+/**
+*  return null if verify signature succeed
+*  return error message if verify signature failed
+*/
+export type verifyUpdateCodeSignature = (publisherName: string[], path: string) => Promise<string | null>
+```
+
+Pass a custom verify function to the nsis updater. For example, if you want to use a native verify function, you can use [win-verify-signature](https://github.com/beyondkmp/win-verify-trust).
+
+
+```js
+import { NsisUpdater } from "electron-updater"
+import { verifySignatureByPublishName } from "win-verify-signature"
+// Or MacUpdater, AppImageUpdater
+
+export default class AppUpdater {
+    constructor() {
+        const options = {
+            requestHeaders: {
+                // Any request headers to include here
+            },
+            provider: 'generic',
+            url: 'https://example.com/auto-updates'
+        }
+
+        const autoUpdater = new NsisUpdater(options)
+        autoUpdater.verifyUpdateCodeSignature = (publisherName: string[], path: string) => {
+            const result = verifySignatureByPublishName(path, publisherName);
+            if(result.signed) return Promise.resolve(null);
+            return Promise.resolve(result.message);
+        }
+        autoUpdater.addAuthHeader(`Bearer ${token}`)
+        autoUpdater.checkForUpdatesAndNotify()
+    }
+}
+```
+
+
 #### How do create Parallels Windows 10 Virtual Machine?
 
 !!! warning "Disable "Share Mac user folders with Windows""

diff --git a/packages/electron-updater/src/NsisUpdater.ts b/packages/electron-updater/src/NsisUpdater.ts
@@ -6,7 +6,7 @@ import { BaseUpdater, InstallOptions } from "./BaseUpdater"
 import { DifferentialDownloaderOptions } from "./differentialDownloader/DifferentialDownloader"
 import { FileWithEmbeddedBlockMapDifferentialDownloader } from "./differentialDownloader/FileWithEmbeddedBlockMapDifferentialDownloader"
 import { GenericDifferentialDownloader } from "./differentialDownloader/GenericDifferentialDownloader"
-import { DOWNLOAD_PROGRESS, ResolvedUpdateFileInfo } from "./main"
+import { DOWNLOAD_PROGRESS, ResolvedUpdateFileInfo, verifyUpdateCodeSignature } from "./main"
 import { blockmapFiles } from "./util"
 import { findFile, Provider } from "./providers/Provider"
 import { unlink } from "fs-extra"
@@ -25,6 +25,23 @@ export class NsisUpdater extends BaseUpdater {
     super(options, app)
   }
 
+  protected _verifyUpdateCodeSignature: verifyUpdateCodeSignature = (publisherNames: Array<string>, unescapedTempUpdateFile: string) =>
+    verifySignature(publisherNames, unescapedTempUpdateFile, this._logger)
+
+  /**
+   * The verifyUpdateCodeSignature. You can pass [win-verify-signature](https://github.com/beyondkmp/win-verify-trust) or another custom verify function: ` (publisherName: string[], path: string) => Promise<string | null>`.
+   * The default verify function uses [windowsExecutableCodeSignatureVerifier](https://github.com/electron-userland/electron-builder/blob/master/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts)
+   */
+  get verifyUpdateCodeSignature(): verifyUpdateCodeSignature {
+    return this._verifyUpdateCodeSignature
+  }
+
+  set verifyUpdateCodeSignature(value: verifyUpdateCodeSignature) {
+    if (value) {
+      this._verifyUpdateCodeSignature = value
+    }
+  }
+
   /*** @private */
   protected doDownloadUpdate(downloadUpdateOptions: DownloadUpdateOptions): Promise<Array<string>> {
     const provider = downloadUpdateOptions.updateInfoAndProvider.provider
@@ -101,7 +118,7 @@ export class NsisUpdater extends BaseUpdater {
       }
       throw e
     }
-    return await verifySignature(Array.isArray(publisherName) ? publisherName : [publisherName], tempUpdateFile, this._logger)
+    return await this._verifyUpdateCodeSignature(Array.isArray(publisherName) ? publisherName : [publisherName], tempUpdateFile)
   }
 
   protected doInstall(options: InstallOptions): boolean {

diff --git a/packages/electron-updater/src/main.ts b/packages/electron-updater/src/main.ts
@@ -138,3 +138,8 @@ export interface Logger {
 
   debug?(message: string): void
 }
+
+// return null if verify signature succeed
+// return error message if verify signature failed
+
+export type verifyUpdateCodeSignature = (publisherName: string[], path: string) => Promise<string | null>