Unable to sign NSIS #7973
Comments
|
Are you able to repro this on a local dev environment? Wondering if it's CI-specific |
|
@mmaietta Indeed, I just set it up locally and it also won't work bare on macOS. I compared it to another project and the second SHA256 signing is not working. The passphrase hash is equal to the one in the project in question, so I am 100% sure the password is correct, also the SHA1 based signature is working. Here the log with |
idoodler
changed the title
|
Hmmm, I haven't seen this issue before and the signing code hasn't changed in a very long time that could impact this (I'm not familiar with any changes to this area of code since I first joined as a maintainer for this project years ago during COVID). I'd be more worried if this was a widespread issue, especially since there's unit tests for windows code signing, albeit it uses a self-signed cert. I'll need to check which GHA runners are being used for that test once I'm no longer swamped with work |
|
Thanks to both of you for your contributions here. I wonder if there's any update on this from either end? I'm looking at potentially buying some hardware and setting up a dedicated machine for local GitHub Actions including building/signing for Windows (including |
|
@slapbox I didn't further investigate this as i currently have to prioritize other things at work. Tho I'd definitely like to help investigate this if someone needs information. |
|
Curious, instead of the env vars (wondering if there's some parsing issue there), can you try providing your env config directly into the Windows Options build configuration? electron-builder/packages/app-builder-lib/src/options/winOptions.ts Lines 35 to 44 in 04f5784 I checked the CI and it only tests Windows code signing on a Windows GHA runner, so I might need to extend that to also test on Linux for this (probably standard) use case. |
|
Bingo, I think I can investigate further from here. But maybe a minimum reproducible repo would also help as the unit tests are super complex and a vanilla repo would probably really help here. Would you be willing to put one together? |
|
Can you give this I think what |
|
Thanks for investigating this @mmaietta! Is there any potential harm in using that script when building natively on Windows? We're at sort of a transitional stage between native builds and Docker builds. |
|
Oh. In that case, just use this for now I don't know the impact to the production distributable though with |
|
If ☝️ works for signing on Docker Wine (you'll have to test the production distributable locally on your own OS versions you normally test on), then I think I fixed it: |
|
Fwiw I finally got a prototype Docker build container working and signing was not an issue for us with NSIS. We don't currently build We built using |
|
I realize I was unclear - we did not have to make any changes to anything to get codesign working. I'm not certain of the |
|
Wait, can you confirm whether we need this? I still saw |
|
Since those are unmerged I assume that my success didn't rely on them. Just to note, I'm not OP and he may still face the issue. I only just happened to start experimenting with Docker builds at the time this issue was filed. I can confirm you that codesign worked for us with the Below are just some stabs in the dark: I ask because of this:
@idoodler does your I wonder if there are multiple valid key file extensions? We used |
|
@slapbox I will try to verify it by changing Regarding the It obviously doesn't look exactly like this, I do have the following keys defined The currently running project uses a very old version |
|
I just tried it with |
|
Could the package name be an issue? The name includes an organization, like I trued to change that setting a |
|
I had the same error with 24.12.0 (NOT THE DOCKERIZED VERSION) |
|
@cZalyun I just pinned |
|
We just upgraded from 24.9.1 to 24.12.0 and see an identical error. We do not use docker and are building on latest macOS. Reverting to 24.9.1 does fix the issue for us. |
|
Okay, will investigate this asap. Can someone provide me a minimum reproducible repo in case I can't reproduce locally? Related note, if I provide a |
|
I am willing to try a My And the relevant part of my "win": {
"target": [
{
"target": "nsis",
"arch": [
"x64"
]
}
],
"artifactName": "${productName}_${version}.${ext}"
},
"nsis": {
"oneClick": false,
"perMachine": false,
"allowToChangeInstallationDirectory": true,
"deleteAppDataOnUninstall": false
} |
|
I'd also be willing to test any patches. Locally I am able to build it tho. The issue only appears on our buildserver when utilizing the docker image |
|
As a workaround I am now building NSIS on a Mac Studio M2 Max, our new macOS buildserver. Tho I had to use |
|
Actually, you may be able to test this without a patch-package using a Add to Anyone willing to give it a shot? I'll continue reviewing the (massive) diff between the versions to see if anything sticks out to me |
|
It doesn't appear that changing the config there is respected... I used a modified version that prints the values: module.exports = async function sign(config, packager) {
config.isNest = process.platform === 'win32' ? config.isNest : false;
console.log({ platform: process.platform, isNest: config.isNest });
await doSign(config, packager)
} |
|
Thanks for checking! I'll continue my debugging |
|
Fixed in v24.13.3 |
|
Thanks @mmaietta, It fails with: |
|
Hmmm, I'll check docker For the mac dmg, please create a separate issue and post logs with DEBUG=electron-builder and your notarization config |
|
Update: I can't test or reproduce on mac arm64 because electron-builder-binaries asset I'll need to see if I can get it running on a Windows machine, since even a Windows VM won't work on my laptop. Running within the wine docker image on the GH CI returns this error, which doesn't align with your @idoodler , what was the last electron-builder version and/or docker image this was working for you? |
|
@mmaietta Currently I am running the following config:
I also encountered that issue with |
|
Thanks for the additional info. Was there a previous version that this was working on? I'm trying to git bisect/diff changes to identify how long this issue has been present. The fact that I can't get the Github CI to trigger the same error worries me as that makes it even harder to debug/reproduce or even write a unit test for. |
|
@mmaietta With that project I wasn't able to build NSIS on Docker with a certificate. I always got that error message. "Bare Mettal" on a macOS machine works however. At firt I thought it is because we only have Apple ARM Macs here in the company, thats why we bought the Intel Machine we then set up as a Gitlab docker runner. Do you need any logs I may be able to find some time to prepare a minimal project where the issue occures. |
|
Yes, a minimal project would be immensely helpful! 🙂 I'd also really like to know if this was working previously in an earlier version of electron-builder, something I can render a git diff with as my only intel machine is my Windows gaming rig |
I am tryingg to build our Windows app in Docker, however I am always getting the following signing error:
We are using gitlab, here is the part ofthe
.gitlab.ymlI first thought that the password of the Certificate file is wrong, but it is verified and correct. We are using the
electron-builder.envfile in the projects root directory which is downloaded by the build script. As a key for the Certificate File I am usingWIN_CSC_KEY_PASSWORDThe job is executed on a Debian Machine
The text was updated successfully, but these errors were encountered: