Sign without Squirrel if --code-sign without --create-windows-installer

2026-04-28 03:01:47 -04:00 · 2017-04-17 18:11:57 -07:00
parent e365148e68
commit cfa072017d
4 changed files with 57 additions and 3 deletions
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -30,7 +30,7 @@ build_script:
  - IF [%APPVEYOR_REPO_BRANCH:~-9%]==[-releases] (
      script\build.cmd --code-sign --create-windows-installer --compress-artifacts
    ) ELSE (
-      script\build.cmd --compress-artifacts
+      script\build.cmd --code-sign --compress-artifacts
    )

 test_script:
--- a/script/build
+++ b/script/build
@@ -27,6 +27,7 @@ const argv = yargs
 const checkChromedriverVersion = require('./lib/check-chromedriver-version')
 const cleanOutputDirectory = require('./lib/clean-output-directory')
 const codeSignOnMac = require('./lib/code-sign-on-mac')
+const codeSignOnWindows = require('./lib/code-sign-on-windows')
 const compressArtifacts = require('./lib/compress-artifacts')
 const copyAssets = require('./lib/copy-assets')
 const createDebianPackage = require('./lib/create-debian-package')
@@ -78,7 +79,12 @@ dumpSymbols()
        return createWindowsInstaller(packagedAppPath, argv.codeSign).then(() => packagedAppPath)
      }
      else {
-        console.log('Skipping creating installer. Specify the --create-windows-installer option to create a Squirrel-based Windows installer. Code-signing was skipped too.'.gray)
+        console.log('Skipping creating installer. Specify the --create-windows-installer option to create a Squirrel-based Windows installer.'.gray)
+        if (argv.codeSign) {
+          codeSignOnWindows(packagedAppPath)
+        } else {
+          console.log('Skipping code-signing. Specify the --code-sign option to perform code-signing'.gray)
+        }
      }
    } else if (process.platform === 'linux') {
      if (argv.createDebianPackage) {
--- a/script/lib/code-sign-on-windows.js
+++ b/script/lib/code-sign-on-windows.js
@@ -0,0 +1,48 @@
+const downloadFileFromGithub = require('./download-file-from-github')
+const fs = require('fs-extra')
+const os = require('os')
+const path = require('path')
+const {spawnSync} = require('child_process')
+
+// This is only used when specifying --code-sign WITHOUT --create-windows-installer
+// as Squirrel has to take care of code-signing in order to correctly wrap during the building of setup
+
+module.exports = function (packagedAppPath) {
+  if (!process.env.ATOM_WIN_CODE_SIGNING_CERT_DOWNLOAD_URL && !process.env.ATOM_WIN_CODE_SIGNING_CERT_PATH) {
+    console.log('Skipping code signing because the ATOM_WIN_CODE_SIGNING_CERT_DOWNLOAD_URL environment variable is not defined'.gray)
+    return
+  }
+
+  let certPath = process.env.ATOM_WIN_CODE_SIGNING_CERT_PATH
+  if (!certPath) {
+    certPath = path.join(os.tmpdir(), 'win.p12')
+    downloadFileFromGithub(process.env.ATOM_WIN_CODE_SIGNING_CERT_DOWNLOAD_URL, certPath)
+  }
+  try {
+    console.log(`Code-signing application at ${packagedAppPath}`)
+    signFile(path.join(packagedAppPath, 'atom.exe'))
+  } finally {
+    if (!process.env.ATOM_WIN_CODE_SIGNING_CERT_PATH) {
+      console.log(`Deleting certificate at ${certPath}`)
+      fs.removeSync(certPath)
+    }
+  }
+
+  function signFile(filePath) {
+    const signCommand = path.resolve(__dirname, '..', 'node_modules', 'electron-winstaller', 'vendor', 'signtool.exe')
+    const args = [ // Changing any of these should also be done in create-windows-installer.js
+      'sign',
+      `/f ${certPath}`, // Signing cert file
+      `/p ${process.env.ATOM_WIN_CODE_SIGNING_CERT_PASSWORD}`, // Signing cert password
+      '/fd sha256', // File digest algorithm
+      '/tr http://timestamp.digicert.com', // Time stamp server
+      '/td sha256', // Times stamp algorithm
+      `"${filePath}"`
+    ]
+    const result = spawnSync(signCommand, args, {stdio: 'inherit', shell: true})
+    if (result.status !== 0) {
+      // Ensure we do not dump the signing password into the logs if something goes wrong
+      throw new Error(`Command ${signCommand} ${args.map(a => a.replace(process.env.ATOM_WIN_CODE_SIGNING_CERT_PASSWORD, '******')).join(' ')} exited with code ${result.status}`)
+    }
+  }
+}
--- a/script/lib/create-windows-installer.js
+++ b/script/lib/create-windows-installer.js
@@ -31,7 +31,7 @@ module.exports = (packagedAppPath, codeSign) => {
      downloadFileFromGithub(process.env.ATOM_WIN_CODE_SIGNING_CERT_DOWNLOAD_URL, certPath)
    }

-    var signParams = []
+    var signParams = [] // Changing any of these should also be done in code-sign-on-windows.js
    signParams.push(`/f ${certPath}`) // Signing cert file
    signParams.push(`/p ${process.env.ATOM_WIN_CODE_SIGNING_CERT_PASSWORD}`) // Signing cert password
    signParams.push('/fd sha256') // File digest algorithm