Windows: No longer rely on electron-builder for code-signing

2023-11-03 11:35:16 -07:00 · 2023-11-03 11:35:16 -07:00 · 1e19a4e5ee
commit 1e19a4e5ee
parent 461f389929
2 changed files with 32 additions and 0 deletions
--- a/package.json
+++ b/package.json
@ -385,6 +385,7 @@
      "signingHashAlgorithms": [
        "sha256"
      ],
+      "sign": "./ts/scripts/sign-windows.js",
      "publisherName": "Signal Messenger, LLC",
      "icon": "build/icons/win/icon.ico",
      "publish": [
--- a/ts/scripts/sign-windows.ts
+++ b/ts/scripts/sign-windows.ts
@ -0,0 +1,31 @@
+// Copyright 2019 Signal Messenger, LLC
+// SPDX-License-Identifier: AGPL-3.0-only
+
+import { execSync } from 'child_process';
+
+import { realpath } from 'fs-extra';
+
+import type { CustomWindowsSignTaskConfiguration } from 'electron-builder';
+
+export async function sign(
+  configuration: CustomWindowsSignTaskConfiguration
+): Promise<void> {
+  // In CI, we remove certificate information from package.json to disable signing
+  if (!configuration.options.certificateSha1) {
+    return;
+  }
+
+  const scriptPath = process.env.SIGN_WINDOWS_SCRIPT;
+  if (!scriptPath) {
+    throw new Error(
+      'path to windows sign script must be provided in environment variable SIGN_WINDOWS_SCRIPT'
+    );
+  }
+
+  const target = realpath(configuration.path);
+
+  // The script will update the file in-place
+  execSync(`bash ${scriptPath} ${target}`, {
+    stdio: [null, process.stdout, process.stderr],
+  });
+}