From 60c32b4bcd74864017a83d7802ceeae96fe7b5da Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Mon, 23 Feb 2026 16:59:48 -0500 Subject: [PATCH] Test --- apps/desktop/scripts/after-pack.js | 60 ++++++++++++++++++++++++++++++ apps/desktop/sign.js | 7 +--- 2 files changed, 62 insertions(+), 5 deletions(-) diff --git a/apps/desktop/scripts/after-pack.js b/apps/desktop/scripts/after-pack.js index 091a9ce951e..a4c47a79c7b 100644 --- a/apps/desktop/scripts/after-pack.js +++ b/apps/desktop/scripts/after-pack.js @@ -35,6 +35,10 @@ async function run(context) { console.log("Copied memory-protection wrapper script"); } + if (context.electronPlatformName === "win32") { + await signWindowsFiles(context.appOutDir); + } + if (["darwin", "mas"].includes(context.electronPlatformName)) { const is_mas = context.electronPlatformName === "mas"; const is_mas_dev = context.targets.some((e) => e.name === "mas-dev"); @@ -104,6 +108,62 @@ async function run(context) { } } +async function signWindowsFiles(appOutDir) { + const isAzure = parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1; + const certFile = process.env.ELECTRON_BUILDER_SIGN_CERT; + + if (!isAzure && !certFile) return; + + const exts = new Set(["dll", "node"]); + const files = collectFiles(appOutDir, exts); + + if (files.length === 0) return; + + if (isAzure) { + console.log(`[*] Signing ${files.length} DLL/node files via Azure Key Vault`); + child_process.execFileSync( + "azuresigntool", + // prettier-ignore + [ + "sign", "-v", + "-kvu", process.env.SIGNING_VAULT_URL, + "-kvi", process.env.SIGNING_CLIENT_ID, + "-kvt", process.env.SIGNING_TENANT_ID, + "-kvs", process.env.SIGNING_CLIENT_SECRET, + "-kvc", process.env.SIGNING_CERT_NAME, + "-fd", "sha256", + "-tr", "http://timestamp.digicert.com", + ...files, + ], + { stdio: "inherit" }, + ); + } else { + const certPw = process.env.ELECTRON_BUILDER_SIGN_CERT_PW; + if (!certPw) throw new Error("ELECTRON_BUILDER_SIGN_CERT_PW must be set"); + for (const f of files) { + console.log(`[*] Signing file: ${f}`); + child_process.execFileSync( + "signtool.exe", + ["sign", "/fd", "SHA256", "/a", "/f", certFile, "/p", certPw, f], + { stdio: "inherit" }, + ); + } + } +} + +function collectFiles(dir, exts) { + const results = []; + for (const entry of fse.readdirSync(dir, { withFileTypes: true })) { + const full = path.join(dir, entry.name); + if (entry.isDirectory()) { + results.push(...collectFiles(full, exts)); + } else if (exts.has(entry.name.split(".").at(-1))) { + results.push(full); + } + } + return results; +} + // Partially based on electron-builder code: // https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts // https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/codeSign/macCodeSign.ts diff --git a/apps/desktop/sign.js b/apps/desktop/sign.js index c5a05df8480..a01388c703c 100644 --- a/apps/desktop/sign.js +++ b/apps/desktop/sign.js @@ -3,7 +3,7 @@ const child_process = require("child_process"); exports.default = async function (configuration) { const ext = configuration.path.split(".").at(-1); - if (parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && ["exe", "dll", "node"].includes(ext)) { + if (parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && ["exe"].includes(ext)) { console.log(`[*] Signing file: ${configuration.path}`); child_process.execFileSync( "azuresigntool", @@ -25,10 +25,7 @@ exports.default = async function (configuration) { stdio: "inherit", }, ); - } else if ( - process.env.ELECTRON_BUILDER_SIGN_CERT && - ["exe", "dll", "node", "appx"].includes(ext) - ) { + } else if (process.env.ELECTRON_BUILDER_SIGN_CERT && ["exe", "appx"].includes(ext)) { console.log(`[*] Signing file: ${configuration.path}`); if (process.platform !== "win32") { console.warn(