How to Ignore 3rd party exe while doing code sign

[ramkirsr]

• Electron-Builder Version: 22.11.7

• Node Version: v14.18.0

• Electron Version:v11.5.0
• Electron Type (current, beta, nightly):current

• Target: windows

We are creating a electron app using the electron zoom sdk, when we bundle the app using electron builder its sign all the dependency exe files. Because of which zoom sdk is not working properly.

I have tried manual sign -> electron builder not allowing to do auto update, throwing the signature miss match error

Basically,

1. I want to know, is there a way to skip folder sign?

2. What is the format which electron builder will use for code sign?, so that i can do manual sign and release the build.

[ramkirsr]

Please update us, its quite critical.

[mmaietta]

Looks like you should be able to set signIgnore: [array of regexes] to

mac: {
   signIgnore: ["\.exe"]
}

electron-builder/packages/app-builder-lib/src/macPackager.ts

Lines 230 to 239 in 8ebfc96

	let filter = options.signIgnore
	if (Array.isArray(filter)) {
	if (filter.length == 0) {
	filter = null
	}
	} else if (filter != null) {
	filter = filter.length === 0 ? null : [filter]
	}
	const filterRe = filter == null ? null : filter.map(it => new RegExp(it))

Haven't tried this myself though

[ramkirsr]

Looks like you should be able to set signIgnore: [array of regexes] to

mac: {
   signIgnore: ["\.exe"]
}

electron-builder/packages/app-builder-lib/src/macPackager.ts

Lines 230 to 239 in 8ebfc96

	let filter = options.signIgnore
	if (Array.isArray(filter)) {
	if (filter.length == 0) {
	filter = null
	}
	} else if (filter != null) {
	filter = filter.length === 0 ? null : [filter]
	}
	const filterRe = filter == null ? null : filter.map(it => new RegExp(it))

Haven't tried this myself though
@mmaietta Thanks for your kind support , In my use case am generating the build for Windows.

[ramkirsr]

@mmaietta Thanks for your kind support , In my use case i am generating the build for Windows.

[mmaietta]

Ah, my apologies, not sure how I misread that.

Well, looking at signtool.exe, it doesn't have any built-in manner with which to exclude specific files.
https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe

You'll probably need to override windows signing and use your own custom signing mechanism/process via:

win: {
   sign: async (config: WindowsSignTaskConfiguration) => {

   }
}

[ramkirsr]

@mmaietta ; Thank a lot for your kind response.
I have tried using signtool to sign the exe, but when i have tried to push the upgrade, signature miss match error happened and upgrade failing. Do we have anything like, what is the sign params is used by electron builder? and how the they are verifying the signature at the time of upgrade?

[mmaietta]

This is the signing arg compilation

electron-builder/packages/app-builder-lib/src/codeSign/windowsCodeSign.ts

Lines 188 to 208 in 7f933d0

	// on windows be aware of http://stackoverflow.com/a/32640183/1910191
	function computeSignToolArgs(options: WindowsSignTaskConfiguration, isWin: boolean, vm: VmManager = new VmManager()): Array<string> {
	const inputFile = vm.toVmFile(options.path)
	const outputPath = isWin ? inputFile : getOutputPath(inputFile, options.hash)
	if (!isWin) {
	options.resultOutputPath = outputPath
	}
	const args = isWin ? ["sign"] : ["-in", inputFile, "-out", outputPath]
	if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") {
	const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"
	if (isWin) {
	args.push(
	options.isNest || options.hash === "sha256" ? "/tr" : "/t",
	options.isNest || options.hash === "sha256" ? options.options.rfc3161TimeStampServer || "http://timestamp.digicert.com" : timestampingServiceUrl
	)
	} else {
	args.push("-t", timestampingServiceUrl)
	}
	}

Signature verification cmd:

electron-builder/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts

Line 42 in 7f933d0

`Get-AuthenticodeSignature '${tempUpdateFile}' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }`,

[ramkirsr]

@mmaietta ; I have written the custom script to sign only my exe; verify the code is it proper.

const signtool = ""C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x64/signtool.exe""

if(Path.basename(configuration.path).toLowerCase().startsWith("tribyte") && configuration.hash == "sha1") {

    require("child_process").execSync(
        `${signtool} sign /${configuration.hash} ${configuration.sha1_thumbprint} /v /f "${configuration.cscInfo.file}" /p ${configuration.cscInfo.password} /fd ${configuration.hash} /t http://timestamp.digicert.com /td ${configuration.hash} "${configuration.path}"`,
        {
            stdio: "inherit"
        }
    );
}
else if(Path.basename(configuration.path).toLowerCase().startsWith("tribyte") && configuration.hash == "sha256") {
  
    require("child_process").execSync(
        `${signtool} sign /sha1 ${configuration.sha1_thumbprint} /as /v /f "${configuration.cscInfo.file}" /p ${configuration.cscInfo.password} /fd ${configuration.hash} /tr http://timestamp.comodoca.com/rfc3161 /td ${configuration.hash} "${configuration.path}"`,
        {
            stdio: "inherit"
        }
    );
}

[mmaietta]

I didn't (and won't) test that but it seems a bit complex, I see it simplified to:

if(Path.basename(configuration.path).toLowerCase().startsWith("tribyte") {
  const serverConfig = configuration.hash == "sha256" ? '/tr http://timestamp.comodoca.com/rfc3161' ? '/t http://timestamp.digicert.com'
  
  const cmd = `${signtool} sign /sha1 ${configuration.sha1_thumbprint} /as /v /f "${configuration.cscInfo.file}" /p ${configuration.cscInfo.password} /fd ${configuration.hash} ${serverConfig} /td ${configuration.hash} "${configuration.path}"`

  require("child_process").execSync(cmd, { stdio: 'inherit' })
}|

In the script, I noticed that comocoda URL has /tr entry, while the digicert URL uses /t. That's the only different I saw between the two flows, not sure if that was intended

[minht11]

For anyone still looking how to exclude some files from Windows signing while not using custom sign tool here is a custom script. WIN_CSC_LINK and WIN_CSC_KEY_PASSWORD need to be set as env variables.

const path = require('path')
const { doSign } = require('app-builder-lib/out/codeSign/windowsCodeSign')

/**
 * @type {import("electron-builder").CustomWindowsSign} sign
 */
module.exports = async function sign(config, packager) {
  // Do not sign if no certificate is provided.
  if (!config.cscInfo) {
    return
  }

  const targetPath = config.path

  const ext = path.extname(targetPath)
  const baseName = path.basename(targetPath, ext)

  // Do not sign elavate file, because that prompts virus warning.
  if (targetPath.endsWith('elevate.exe')) {
    return
  }

  // Only sign our own DLL files.
  if (ext === '.dll' && !baseName.toLowerCase().startsWith('mylib')) {
    return
  }

  await doSign(config, packager)
}

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[serg06]

@minht11 Can you please explain how to connect that script to the build process?

[mmaietta]

@serg06 in your electron-builder config

{
  win: {
    sign: "path to sign.js"
  }
}

Ref: sign https://www.electron.build/configuration/win