Missing code signing for esbuild.exe binary

[minijus]

In some organizations Windows are configured with restricted profiles where only known executables are allowed to be run. There are couple of ways to identify executable to be allowed to run: (1) hash of the binary, (2) or details from code signature, such as name and actual public key.

Allowing executables to be run by binary hash is a headache in terms of managing updates, since every version update requires to manually extract executable, hash and finally create new exception rule. Thus, having code signature on extubate is very much preferred, it allows to create an exception rule that allows to run any version of the binary as long as it is signed by trusted publisher.

Issue #1151, I believe, is exactly how blocked execution of esbuild.exe looks like today. I am getting the same error on my corporate machine, where I know that execution is blocked.

For some more context, similar issue in Cypress that was addressed some time ago: cypress-io/cypress#2543

[evanw]

I understand the request. However, I think this might not be something that I end up doing. It looks like it both costs money and requires a Windows machine, and I both don't want to spend my money on this and I don't have a Windows machine.

One potential way to work around your IT department's restrictive rules is to use the esbuild-wasm package instead of the esbuild package. I assume that this will bypass their restrictions and will let you run unsigned code on your machine.

[minijus]

Thank you for the reply. I absolutely understand your position, I would love myself to have an option not to deal with Windows environment :)

In our company esbuild came as dependency of latest version of angular. What I understand, Angular Team was working hard on introducing esbuild to improve build performance and that is awesome. However, there might be a number of companies (bigger corporates) using Angular and having restricted Windows profiles that prevent esbuild from running.

@IgorMinar @alxhub is this issue something that could be addressed from Angular? Would it be possible to provide an option to switch to esbuild-wasm? Would Angular team be interested in supporting esbuild so that executables would be code signed?

[IgorMinar]

@minijus please file an issue against @angular/angular-cli. Maybe we could prefer esbuild-wasm over esbuild if it's installed in your project. File an issue describing the problem and suggesting esbuild-wasm as a potential solution and we'll take a look. Thanks.

[minijus]

@evanw would it be possible to introduce option to set custom mirror URL for binaries? Having it would allow us to intercept the request for binary package and add code signing.

[evanw]

It's not documented or well-tested but there is the ESBUILD_BINARY_PATH environment variable override. This is what is used for running esbuild's own tests and a few other people are using it as well. Specify that either when installing or when running esbuild and the binary executable at that path will be used instead of the original binary executable.

[evanw]

I'm closing this issue because I don't plan on working on this.