From 314a5baada1025b3039d1b26658867cbbebc751f Mon Sep 17 00:00:00 2001
From: Isaiah Inuwa <iinuwa@bitwarden.com>
Date: Mon, 12 Jan 2026 13:19:46 -0600
Subject: [PATCH] Sign Appx in CI (#17975)

Changes the publisher to match the Bitwarden signing certificate, and allows
signing of .appx files.

Also removes unused certificateSubjectName parameters from package.json
---
 apps/desktop/electron-builder.beta.json | 4 +++-
 apps/desktop/electron-builder.json      | 4 +++-
 apps/desktop/package.json               | 6 +++---
 apps/desktop/sign.js                    | 2 +-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/apps/desktop/electron-builder.beta.json b/apps/desktop/electron-builder.beta.json
index 2d7d76827f1..3e1ca673c3c 100644
--- a/apps/desktop/electron-builder.beta.json
+++ b/apps/desktop/electron-builder.beta.json
@@ -1,4 +1,6 @@
 {
+  "$schema": "https://raw.githubusercontent.com/electron-userland/electron-builder/master/packages/app-builder-lib/scheme.json",
+
   "extraMetadata": {
     "name": "bitwarden-beta"
   },
@@ -62,7 +64,7 @@
     "customManifestPath": "./custom-appx-manifest.xml",
     "applicationId": "BitwardenBeta",
     "identityName": "8bitSolutionsLLC.BitwardenBeta",
-    "publisher": "CN=14D52771-DE3C-4886-B8BF-825BA7690418",
+    "publisher": "CN=Bitwarden Inc., O=Bitwarden Inc., L=Santa Barbara, S=California, C=US, SERIALNUMBER=7654941, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US",
     "publisherDisplayName": "Bitwarden Inc",
     "languages": [
       "en-US",
diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json
index c42c3cc4202..83bd2921551 100644
--- a/apps/desktop/electron-builder.json
+++ b/apps/desktop/electron-builder.json
@@ -1,4 +1,6 @@
 {
+  "$schema": "https://raw.githubusercontent.com/electron-userland/electron-builder/master/packages/app-builder-lib/scheme.json",
+
   "extraMetadata": {
     "name": "bitwarden"
   },
@@ -176,7 +178,7 @@
     "customManifestPath": "./custom-appx-manifest.xml",
     "applicationId": "bitwardendesktop",
     "identityName": "8bitSolutionsLLC.bitwardendesktop",
-    "publisher": "CN=14D52771-DE3C-4886-B8BF-825BA7690418",
+    "publisher": "CN=Bitwarden Inc., O=Bitwarden Inc., L=Santa Barbara, S=California, C=US, SERIALNUMBER=7654941, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US",
     "publisherDisplayName": "Bitwarden Inc",
     "languages": [
       "en-US",
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
index 93d016f8791..ad20e7c0e69 100644
--- a/apps/desktop/package.json
+++ b/apps/desktop/package.json
@@ -48,8 +48,8 @@
     "pack:mac:mas": "npm run clean:dist && npm run build:macos-extension:mas && electron-builder --mac mas --universal -p never",
     "pack:mac:masdev": "npm run clean:dist && npm run build:macos-extension:masdev && electron-builder --mac mas-dev --universal -p never",
     "pack:local:mac": "npm run clean:dist && npm run build:macos-extension:masdev && electron-builder --mac mas-dev --universal -p never -c.mac.provisioningProfile=\"\" -c.mas.provisioningProfile=\"\"",
-    "pack:win": "npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p never -c.win.signtoolOptions.certificateSubjectName=\"8bit Solutions LLC\"",
-    "pack:win:beta": "npm run clean:dist && electron-builder --config electron-builder.beta.json --win --x64 --arm64 --ia32 -p never -c.win.signtoolOptions.certificateSubjectName=\"8bit Solutions LLC\"",
+    "pack:win": "npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p never",
+    "pack:win:beta": "npm run clean:dist && electron-builder --config electron-builder.beta.json --win --x64 --arm64 --ia32 -p never",
     "pack:win:ci": "npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p never",
     "dist:dir": "npm run build && npm run pack:dir",
     "dist:lin": "npm run build && npm run pack:lin",
@@ -62,7 +62,7 @@
     "publish:lin": "npm run build && npm run clean:dist && electron-builder --linux --x64 -p always",
     "publish:mac": "npm run build && npm run clean:dist && electron-builder --mac -p always",
     "publish:mac:mas": "npm run dist:mac:mas && npm run upload:mas",
-    "publish:win": "npm run build && npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p always -c.win.signtoolOptions.certificateSubjectName=\"8bit Solutions LLC\"",
+    "publish:win": "npm run build && npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p always",
     "publish:win:dev": "npm run build:dev && npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p always",
     "upload:mas": "xcrun altool --upload-app --type osx --file \"$(find ./dist/mas-universal/Bitwarden*.pkg)\" --apiKey $APP_STORE_CONNECT_AUTH_KEY --apiIssuer $APP_STORE_CONNECT_TEAM_ISSUER",
     "test": "jest",
diff --git a/apps/desktop/sign.js b/apps/desktop/sign.js
index b8da98a882b..f115e9b8097 100644
--- a/apps/desktop/sign.js
+++ b/apps/desktop/sign.js
@@ -3,7 +3,7 @@ const child_process = require("child_process");
 
 exports.default = async function (configuration) {
   const ext = configuration.path.split(".").at(-1);
-  if (parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && ext == "exe") {
+  if (parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && ["exe", "appx"].includes(ext)) {
     console.log(`[*] Signing file: ${configuration.path}`);
     child_process.execFileSync(
       "azuresigntool",