Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: windows code signing #8084

Merged
merged 33 commits into from
Oct 16, 2024
Merged

fix: windows code signing #8084

merged 33 commits into from
Oct 16, 2024

Conversation

filfreire
Copy link
Member

@filfreire filfreire commented Oct 15, 2024
edited
Loading

todo

windows codesigning process after merging this PR

The approach is:

  1. run package:windows:unpacked to bake windows-unpacked folder (which runs npm run build:app) with all common baked insomnia files
  2. codesign the .dll and .exe unpacked files (common to all installers) (using GitHub actions intermediate steps that use SSL.com's esigner-codesign
  3. run the package:windows:dist and point it to the same windows-unpacked folder (using electron-builder's --dir flag) for baking the temporary squirrel related files, signing with SSL.com's ci-images via customSign.js hook, bake the installer package, and sign that as well from hook.

debugging

found that Update.exe and Insomnia.exe (squirrel stub) are only available to codesign via hook

image

Solution

We use the container image for EV codesigner from a custom-hook during packaging.

Afterwards, both the Stub, Updater.exe and the installer are all code-signed in a single go:
image

(using upstream branch instead of fork to test, closed #8069)

@filfreire filfreire mentioned this pull request Oct 15, 2024
Closed
@filfreire filfreire requested a review from a team October 15, 2024 16:25
gatzjames
gatzjames previously approved these changes Oct 15, 2024
View reviewed changes
@filfreire filfreire requested review from gatzjames and a team October 16, 2024 10:39
jackkav
jackkav previously approved these changes Oct 16, 2024
View reviewed changes
Copy link
Contributor

@jackkav jackkav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe just add npm run build:app && for consistency, can do it in future if you need

packages/insomnia/customSign.js Show resolved Hide resolved
packages/insomnia/electron-builder.config.js Show resolved Hide resolved
@filfreire
Copy link
Member Author

@jackkav about:

maybe just add npm run build:app && for consistency, can do it in future if you need

We should not add it in this case. The approach is:

  • First we run package:windows:unpacked to bake windows-unpacked (which runs npm run build:app)
  • Then we codesign the .dll and .exe unpacked files (common to all installers)
  • Then we run the package:windows:dist and point it to the same windows-unpacked folder for baking the temporary squirrel related files, signing via customSign hook, bake the installer package, and sign that as well.

The unpacked files need to get codesigned in an intermediate step, and then we build the Squirrel package from the codesigned windows-unpacked folder for which we have already previously run build:app.

@filfreire filfreire requested review from jackkav and a team October 16, 2024 12:33
@filfreire filfreire enabled auto-merge (squash) October 16, 2024 12:41
@filfreire filfreire merged commit 8ddff9d into develop Oct 16, 2024
8 checks passed
@filfreire filfreire deleted the fix/ins-4561 branch October 16, 2024 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryan-willis ryan-willis ryan-willis approved these changes

@gatzjames gatzjames Awaiting requested review from gatzjames

@jackkav jackkav Awaiting requested review from jackkav

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@filfreire @jackkav @gatzjames @ryan-willis