feat: Add functionality to create a "signtool.exe" #7
Conversation
felixrieseberg
force-pushed
the
felixr-sea
branch
from
14850ae
to
a299833
Compare
src/sea.ts
Outdated
| const SEA_MAIN_SCRIPT = ` | ||
| const bin = "%PATH_TO_BIN%"; | ||
| const script = "%PATH_TO_SCRIPT%"; | ||
| const options = JSON.parse(\` | ||
| %WINDOWS_SIGN_OPTIONS% | ||
| \`.trim()) | ||
|
|
||
| const { spawnSync } = require('child_process'); | ||
|
|
||
| function main() { | ||
| console.log("@electron/windows-sign sea"); | ||
| console.log({ bin, script }); | ||
|
|
||
| try { | ||
| const spawn = spawnSync( | ||
| bin, | ||
| [ script, JSON.stringify(options), JSON.stringify(process.argv.slice(1)) ], | ||
| { stdio: ['inherit', 'inherit', 'pipe'] } | ||
| ); | ||
|
|
||
| const stderr = spawn.stderr.toString().trim(); | ||
|
|
||
| if (stderr) { | ||
| throw new Error(stderr); | ||
| } | ||
| } catch (error) { | ||
| process.exitCode = 1; | ||
| throw new Error(error); | ||
| } | ||
| } | ||
|
|
||
| main(); | ||
| `; |
There was a problem hiding this comment.
How do you feel about turning SEA_MAIN_SCRIPT and SEA_RECEIVER_SCRIPT into actual JS code somehow? I think that would make maintenance a little easier since it would enable editor highlighting and whatnot. I can think of two options:
- moving the code to a separate .js file, then reading the file contents, replacing the variables and writing the result to the appropriate destination file;
- creating a function to hold the code and writing a stringified version of that function to the appropriate file using an IIFE, like...
function seaMainScript () {
const bin = '%PATH_TO_BIN%';
const script = '%PATH_TO_SCRIPT%';
const options = JSON.parse('%WINDOWS_SIGN_OPTIONS%'.trim());
const { spawnSync } = require('child_process');
function main () {
console.log('@electron/windows-sign sea');
console.log({
bin,
script
});
try {
const spawn = spawnSync(
bin,
[script, JSON.stringify(options), JSON.stringify(process.argv.slice(1))],
{ stdio: ['inherit', 'inherit', 'pipe'] }
);
const stderr = spawn.stderr.toString().trim();
if (stderr) {
throw new Error(stderr);
}
} catch (error) {
process.exitCode = 1;
// @ts-ignore
throw new Error(error);
}
}
main();
}
// ...
const script = `(${seaMainScript.toString()
.replace('%PATH_TO_BIN%', escapeMaybe(binPath))
.replace('%PATH_TO_SCRIPT%', escapeMaybe(receiverPath))
.replace('%WINDOWS_SIGN_OPTIONS%', JSON.stringify(options.windowsSign))})()`
;...or even modifying the function to accept parameters instead of using placeholders and passing them when invoking the IIFE:
function seaMainScript (bin, script, options) {
// ...
}
// ...
const script = `(${
seaMainScript.toString()})(
${escapeMaybe(binPath)},
${escapeMaybe(receiverPath)},
${JSON.stringify(options.windowsSign)}
)`;I've used 2. before, the "invocation"/templating part looks disgusting but at least the main function code gets editor goodies 😅 Anyway, I'm not sure this is something worth changing as the code is relatively short, so feel free to keep it like it is!
There was a problem hiding this comment.
This is a great idea, thank you! I tried to get it to work properly - but it's hard to make prettier & co really understand what's going on, as the scripts here even import the module itself.
I'll try to revisit this later, since I do agree with ya. It's a little annoying that the editor can't tell me about my typos in the string.
src/sea.ts
Outdated
|
|
||
| if (!cloned.path) { | ||
| cloned.path = path.join(os.homedir(), '.electron', 'windows-sign', 'sea.exe'); | ||
| await fs.mkdirp(cloned.path); |
There was a problem hiding this comment.
Question: don't know if it makes a difference, but it looks like fs.ensureFile would be a better fit since it's the path to a file, not to a folder?
| return true; | ||
| } | ||
|
|
||
| throw new Error(`Your Node.js version (${process.version}) does not support Single Executable Applications. Please upgrade your version of Node.js.`); |
There was a problem hiding this comment.
Since you mentioned this will be consumed by electron-winstaller: that module is currently on Node 8, so we might need to update it (and potentially Forge, which is on Node 16 and has electron-winstaller as an optional dep - not sure how we handle these) to 18 first.
There was a problem hiding this comment.
It's a little tough to do with backwards compat - since only a small number of people will actually need to use the sea ability (apps with EV certificates and custom codesigning pipelines in the cloud), I think my recommendation would be:
- Keep
@electron/windows-installerat Node 8. Or upgrade it, but maybe only to ~16 or so. - Document that
windowsSignoptions inside@electron/windows-installerrequires at least Node 18.
felixrieseberg
force-pushed
the
felixr-sea
branch
from
a09c6e3
to
5fa9440
Compare
|
🎉 This PR is included in version 1.1.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This PR adds functionality to have
@electron/windows-signcreate asigntool.exethat signs any given file with the same options passed to@electron/windows-signin the first place. That's helpful for tools like Squirrel - which will only sign withsigntool.exe. It's a bit of a clever hack to make@electron/windows-signcompatible with any tool that'll let users callsigntool.exe.Here's how it works:
node.exethat contains signing options. We'll call that newly minted binarysigntool.exe.signtool.exeis executed, it spawns user'snode.exe, requires@electron/windows-sign, and signs the file originally passed to it with the options already embedded in the binary.signtool.exeon the local machine, users can use this tool with confidence - there is no mysterious "signtool.exe" that'd be able to exfiltrate secrets.I don't expect users to actually use this feature directly. It'll be consumed by
@electron/windows-installer, for which I'll open another PR.