Test

apps/desktop/scripts/after-pack.js

@@ -35,6 +35,10 @@ async function run(context) {
     console.log("Copied memory-protection wrapper script");
   }
 
+  if (context.electronPlatformName === "win32") {
+    await signWindowsFiles(context.appOutDir);
+  }
+
   if (["darwin", "mas"].includes(context.electronPlatformName)) {
     const is_mas = context.electronPlatformName === "mas";
     const is_mas_dev = context.targets.some((e) => e.name === "mas-dev");
@@ -104,6 +108,62 @@ async function run(context) {
   }
 }
 
+async function signWindowsFiles(appOutDir) {
+  const isAzure = parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1;
+  const certFile = process.env.ELECTRON_BUILDER_SIGN_CERT;
+
+  if (!isAzure && !certFile) return;
+
+  const exts = new Set(["dll", "node"]);
+  const files = collectFiles(appOutDir, exts);
+
+  if (files.length === 0) return;
+
+  if (isAzure) {
+    console.log(`[*] Signing ${files.length} DLL/node files via Azure Key Vault`);
+    child_process.execFileSync(
+      "azuresigntool",
+      // prettier-ignore
+      [
+        "sign", "-v",
+        "-kvu", process.env.SIGNING_VAULT_URL,
+        "-kvi", process.env.SIGNING_CLIENT_ID,
+        "-kvt", process.env.SIGNING_TENANT_ID,
+        "-kvs", process.env.SIGNING_CLIENT_SECRET,
+        "-kvc", process.env.SIGNING_CERT_NAME,
+        "-fd", "sha256",
+        "-tr", "http://timestamp.digicert.com",
+        ...files,
+      ],
+      { stdio: "inherit" },
+    );
+  } else {
+    const certPw = process.env.ELECTRON_BUILDER_SIGN_CERT_PW;
+    if (!certPw) throw new Error("ELECTRON_BUILDER_SIGN_CERT_PW must be set");
+    for (const f of files) {
+      console.log(`[*] Signing file: ${f}`);
+      child_process.execFileSync(
+        "signtool.exe",
+        ["sign", "/fd", "SHA256", "/a", "/f", certFile, "/p", certPw, f],
+        { stdio: "inherit" },
+      );
+    }
+  }
+}
+
+function collectFiles(dir, exts) {
+  const results = [];
+  for (const entry of fse.readdirSync(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      results.push(...collectFiles(full, exts));
+    } else if (exts.has(entry.name.split(".").at(-1))) {
+      results.push(full);
+    }
+  }
+  return results;
+}
+
 // Partially based on electron-builder code:
 // https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts
 // https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/codeSign/macCodeSign.ts

apps/desktop/sign.js

@@ -3,7 +3,7 @@ const child_process = require("child_process");
 
 exports.default = async function (configuration) {
   const ext = configuration.path.split(".").at(-1);
-  if (parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && ["exe", "dll", "node"].includes(ext)) {
+  if (parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && ["exe"].includes(ext)) {
     console.log(`[*] Signing file: ${configuration.path}`);
     child_process.execFileSync(
       "azuresigntool",
@@ -25,10 +25,7 @@ exports.default = async function (configuration) {
         stdio: "inherit",
       },
     );
-  } else if (
-    process.env.ELECTRON_BUILDER_SIGN_CERT &&
-    ["exe", "dll", "node", "appx"].includes(ext)
-  ) {
+  } else if (process.env.ELECTRON_BUILDER_SIGN_CERT && ["exe", "appx"].includes(ext)) {
     console.log(`[*] Signing file: ${configuration.path}`);
     if (process.platform !== "win32") {
       console.warn(