From 99ee0fc72df0483980b0d4f4bfff7eb38e353ed5 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 27 Nov 2019 11:54:33 +0000 Subject: [PATCH 1/5] Fix Windows signing args The hash arg seems to only accept the short `-h` form. In addition, the args in the environment contained a fixed hash type which is removed here. --- electron_app/riot.im/env.sh | 2 +- scripts/electron_winSign.js | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/electron_app/riot.im/env.sh b/electron_app/riot.im/env.sh index 79cb6e4e..0ee81052 100644 --- a/electron_app/riot.im/env.sh +++ b/electron_app/riot.im/env.sh @@ -1 +1 @@ -export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs electron_app/riot.im/New_Vector_Ltd.pem -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t http://timestamp.comodoca.com -h sha256 -verbose' +export OSSLSIGNCODE_SIGNARGS='-pkcs11module /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib -pkcs11engine /usr/local/lib/engines/engine_pkcs11.so -certs electron_app/riot.im/New_Vector_Ltd.pem -key 0a3271cbc1ec0fd8afb37f6bbe0cd65ba08d3b4d -t http://timestamp.comodoca.com -verbose' diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 9cd2d3f6..4e88afd0 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -36,7 +36,7 @@ exports.default = async function(options) { 'tmp_' + Math.random().toString(36).substring(2, 15) + '.exe', ); const args = [ - '-hash', options.hash, + '-h', options.hash, '-pass', tokenPassphrase, '-in', inPath, '-out', tmpFile, @@ -44,6 +44,7 @@ exports.default = async function(options) { if (options.isNest) args.push('-nest'); cmdLine += shellescape(args); + console.log("Running", cmdLine); const signproc = exec(cmdLine, {}, (error, stdout) => { console.log(stdout); }); From cde5c9c027c92a6ca3a8d9135586115cd44d5fab Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 27 Nov 2019 12:15:05 +0000 Subject: [PATCH 2/5] Remove redundant Windows installer signing The signing in `electron-package.sh` is no longer needed, since it's already handled in the new sign script for `electron-builder`. --- scripts/electron-package.sh | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh index 7a8a5ca7..9a0566ae 100755 --- a/scripts/electron-package.sh +++ b/scripts/electron-package.sh @@ -165,20 +165,6 @@ cp $distdir/squirrel-windows/RELEASES "$pubdir/update/win32/x64/" # longer appears to work). cp $distdir/*_amd64.deb "$projdir/electron_app/dist/" -# Now we sign the windows installer executables (as opposed to the main binary which -# is signed in the electron afteSign hook) -echo "Signing Windows installers..." - -exe32=( "$distdir"/squirrel-windows-ia32/*.exe ) -basename32=`basename "$exe32"` -osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe32" -out "$projdir/electron_app/pub/install/win32/ia32/$basename32" - -exe64=( "$distdir"/squirrel-windows/*.exe ) -basename64=`basename "$exe64"` -osslsigncode sign $OSSLSIGNCODE_SIGNARGS -pass "$token_password" -in "$exe64" -out "$projdir/electron_app/pub/install/win32/x64/$basename64" - -echo "Installers signed" - rm -rf "$builddir" echo "$pubdir can now be hosted on your web server." From dd9305140b8d29e79ff610ee8d88e819d08332a9 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 27 Nov 2019 12:22:51 +0000 Subject: [PATCH 3/5] Only log signing command when it fails --- scripts/electron_winSign.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 4e88afd0..d55b8528 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -44,12 +44,14 @@ exports.default = async function(options) { if (options.isNest) args.push('-nest'); cmdLine += shellescape(args); - console.log("Running", cmdLine); + let signStdout; const signproc = exec(cmdLine, {}, (error, stdout) => { - console.log(stdout); + signStdout = stdout; }); signproc.on('exit', (code) => { if (code !== 0) { + console.log("Running", cmdLine); + console.log(signStdout); console.error("osslsigncode failed with code " + code); reject("osslsigncode failed with code " + code); return; From d0c8a6af50ac419c83ec5bc37767302ada539ca7 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 27 Nov 2019 12:44:40 +0000 Subject: [PATCH 4/5] Copy signed Windows installers to pub directory --- scripts/electron-package.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh index 9a0566ae..a4f047f8 100755 --- a/scripts/electron-package.sh +++ b/scripts/electron-package.sh @@ -131,19 +131,17 @@ pubdir="$projdir/electron_app/pub" rm -r "$pubdir" || true mkdir -p "$pubdir" rm -r "$projdir/electron_app/dist" || true -mkdir -p "$projdir/electron_app/dist/unsigned/" # Install packages: what the user downloads the first time, # (DMGs for mac, exe installer for windows) mkdir -p "$pubdir/install/macos" cp $distdir/*.dmg "$pubdir/install/macos/" -# Windows installers need signing, this comes later mkdir -p "$pubdir/install/win32/ia32/" -mkdir -p "$projdir/electron_app/dist/unsigned/ia32/" +cp $distdir/squirrel-windows-ia32/*.exe "$pubdir/install/win32/ia32/" mkdir -p "$pubdir/install/win32/x64/" -mkdir -p "$projdir/electron_app/dist/unsigned/x64/" +cp $distdir/squirrel-windows/*.exe "$pubdir/install/win32/x64/" # Packages for auto-update mkdir -p "$pubdir/update/macos" From b93b6b448e05543563b3d013c41ef31228fd2760 Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 27 Nov 2019 13:02:14 +0000 Subject: [PATCH 5/5] Restore creation of the dist directory --- scripts/electron-package.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/electron-package.sh b/scripts/electron-package.sh index a4f047f8..f92c1387 100755 --- a/scripts/electron-package.sh +++ b/scripts/electron-package.sh @@ -131,6 +131,7 @@ pubdir="$projdir/electron_app/pub" rm -r "$pubdir" || true mkdir -p "$pubdir" rm -r "$projdir/electron_app/dist" || true +mkdir -p "$projdir/electron_app/dist" # Install packages: what the user downloads the first time, # (DMGs for mac, exe installer for windows)