From 070d5fc6e8defb3af6e8c36e67e4f5c4334fc822 Mon Sep 17 00:00:00 2001 From: David Baker Date: Tue, 26 Nov 2019 15:24:43 +0000 Subject: [PATCH] Sign all of the Windows executable files We can actually just supply a custom signing module here to do our signing rather than manually signing things in the afterSign hook. This means all 4 executable files get signed (the main exe, the stub exe, Update.exe and the installer). --- package.json | 3 +- scripts/electron_afterSign.js | 52 --------------------------- scripts/electron_winSign.js | 66 +++++++++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+), 53 deletions(-) create mode 100644 scripts/electron_winSign.js diff --git a/package.json b/package.json index 85607f75..2b725452 100644 --- a/package.json +++ b/package.json @@ -186,7 +186,8 @@ "win": { "target": { "target": "squirrel" - } + }, + "sign": "scripts/electron_winSign" }, "directories": { "buildResources": "electron_app/build", diff --git a/scripts/electron_afterSign.js b/scripts/electron_afterSign.js index 1f65438d..5952976a 100644 --- a/scripts/electron_afterSign.js +++ b/scripts/electron_afterSign.js @@ -1,7 +1,4 @@ const { notarize } = require('electron-notarize'); -const { exec, execFile } = require('child_process'); -const fs = require('fs'); -const shellescape = require('shell-escape'); exports.default = async function(context) { const { electronPlatformName, appOutDir } = context; @@ -23,54 +20,5 @@ exports.default = async function(context) { appleId: userId, appleIdPassword: '@keychain:NOTARIZE_CREDS', }); - } else if (electronPlatformName === 'win32') { - // This signs the actual Riot executable - const appName = context.packager.appInfo.productFilename; - - // get the token passphrase from the keychain - const tokenPassphrase = await new Promise((resolve, reject) => { - execFile( - 'security', - ['find-generic-password', '-s', 'riot_signing_token', '-w'], - {}, - (err, stdout) => { - if (err) { - reject(err); - } else { - resolve(stdout.trim()); - } - }, - ); - }); - - return new Promise((resolve, reject) => { - let cmdLine = 'osslsigncode sign '; - if (process.env.OSSLSIGNCODE_SIGNARGS) { - cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + ' '; - } - const tmpFile = 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe'; - cmdLine += shellescape([ - '-pass', tokenPassphrase, - '-in', `${appOutDir}/${appName}.exe`, - '-out', `${appOutDir}/${tmpFile}`, - ]); - - const signproc = exec(cmdLine, {}, (error, stdout) => { - console.log(stdout); - }); - signproc.on('exit', (code) => { - if (code !== 0) { - reject("osslsigncode failed with code " + code); - return; - } - fs.rename(`${appOutDir}/${tmpFile}`, `${appOutDir}/${appName}.exe`, (err) => { - if (err) { - reject(err); - } else { - resolve(); - } - }); - }); - }); } }; diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js new file mode 100644 index 00000000..9cd2d3f6 --- /dev/null +++ b/scripts/electron_winSign.js @@ -0,0 +1,66 @@ +const { exec, execFile } = require('child_process'); +const fs = require('fs'); +const path = require('path'); +const shellescape = require('shell-escape'); + +exports.default = async function(options) { + const inPath = options.path; + const appOutDir = path.dirname(inPath); + + // get the token passphrase from the keychain + const tokenPassphrase = await new Promise((resolve, reject) => { + execFile( + 'security', + ['find-generic-password', '-s', 'riot_signing_token', '-w'], + {}, + (err, stdout) => { + if (err) { + console.error("Couldn't find signing token in keychain", err); + // electron-builder seems to print '[object Object]' on the + // console whether you reject with an Error or a string... + reject(err); + } else { + resolve(stdout.trim()); + } + }, + ); + }); + + return new Promise((resolve, reject) => { + let cmdLine = 'osslsigncode sign '; + if (process.env.OSSLSIGNCODE_SIGNARGS) { + cmdLine += process.env.OSSLSIGNCODE_SIGNARGS + ' '; + } + const tmpFile = path.join( + appOutDir, + 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe', + ); + const args = [ + '-hash', options.hash, + '-pass', tokenPassphrase, + '-in', inPath, + '-out', tmpFile, + ]; + if (options.isNest) args.push('-nest'); + cmdLine += shellescape(args); + + const signproc = exec(cmdLine, {}, (error, stdout) => { + console.log(stdout); + }); + signproc.on('exit', (code) => { + if (code !== 0) { + console.error("osslsigncode failed with code " + code); + reject("osslsigncode failed with code " + code); + return; + } + fs.rename(tmpFile, inPath, (err) => { + if (err) { + console.error("Error renaming file", err); + reject(err); + } else { + resolve(); + } + }); + }); + }); +};