VMP Script unable to sign the Correct Executable when using Squirrel.Windows

[ryankashi]

Hi everyone!

I am developing an application that is using electron-forge to package my application (which, under the hood uses electron-builder).

I am able to successfully package, make, code-sign, and deploy my app as a .zip, however I am unable to properly codesign my application when I change my maker to squirrel.windows.

Once packaging is complete, before making the installer, I attempt to codesign the package per usual via:

python -m castlabs_evs.vmp sign-pkg ./path/to/my/exe

However when using squirrel.Windows, when I call the above script, the VMP signing service instead codesigns Squirrel.exe as opposed to my base application executable, and then continues with making the application, eventually producing the installer without Widevine.

If I attempt to vmp sign the installer itself that is an output of squirrel.Windows, the VMP signing service fails (which makes sense as this is the installer, not the executable).

Is the timing different for the VMP signing service when packaging an electron app with an installer as opposed to a zip? Or is it the VMP signing service's fault for not finding the correct executable to sign. If there was a way to a specific executable to use with the VMP signing service, would this even fix my issue?

[khwaaj]

Hi,

There is not enough information here to really tell what is going on, but it is certainly possible that sign-pkg picks the wrong executable if multiple exe-files are present in the package directory. If that happens the signing process will fail since the executable won't match an official ECS release.

For this reason the --name-hint (or -H) option exists to give you the ability to help sign-pkg find the correct item to sign. For example, if your application is called MyApp (and thus contains something like MyApp.exe on Windows) you could add a name hint to help sign-pkg find the correct executable to sign:

python3 -m castlabs_evs.vmp sign-pkg -H MyApp path/to/package-directroy

This might help in your case, but since I'm not familiar with the particular packager you are using, and I don't really know the structure produced or how it otherwise differs from electron-builder, I can't say for sure. If the above suggestion doesn't help you solve it, perhaps you can produce a minimal sample project that shows the issue?

[ryankashi]

Electron-forge is using Electron-packager under the hood, so anything that is relevant for electron-packager also applies with electron-forge.

I have managed to EVS sign my package by using the -H command, however I have NOT included code-signing for the windows build yet.

I am aware that for Windows applications, code-signing must occur BEFORE the EVS code-signing has complete. When using electron-packager, at which hook during the making process (that provides me an output with an executable installer) should I be calling EVS sign?

With MacOS, everything is very straight forward where I can simply use the Castlabs EVS script once packaged as a zip file is complete inside my hooks, followed by using a script to sign my package for Mac.

[khwaaj]

I took a quick look at the electron-packager docs (as I've not actually used it myself), but unfortunately the description of the different hooks is a bit lacking detail with regards to the different stages of the packaging, and they do not appear to map one-to-one against electron-builder hooks. This makes it hard for me to make any recommendations, at least without actually testing it myself.

The important thing is that VMP signing takes place after any modifications to the executable takes place (e.g. application of built-in meta-data, icons, and so on), but before the actual installer is created. This is typically the same stage the application code-signing should take place, but as you noted, the order of VMP and code-signing is important and differs between platforms.

[ryankashi]

After checking the official electron docs, this still leaves me with a number of questions on my part.

https://www.electronjs.org/docs/tutorial/code-signing

According to the official electron docs, it implies that code-signing should occur AFTER an installer has been created, signing the output installer .exe as well, and the Castlabs EVS does not work for installer . exes - only the package itself.

When taking a look at the electrin-builder docs, however, I can see the hook called afterSign which makes sense, although it does not appear that electrin-builder is signing the output installer which seems incorrect with what should actually be occuring.

If I were to VMP sign my package at the very end of the packaging step (icons, metadata, etc already set), and then sign after fully creating an installer or installing.exe, would this still break my VMP signature? Does code-signing on Windows affect the contents of my package in any way?

[khwaaj]

My initial assumption would be that you need to sign both, first the application and then the installer (though VMP signing is only necessary for the application). My experience with signing and installers on Windows, including Squirrel.Windows, is very limited though so I my assumptions come with some reservation. Also, this might be handled already by the packager, electron-forge/electron-packager in your case, but the instructions you linked are not entirely clear IMHO.

From the perspective of VMP the important thing is that the actual Windows executable does not change after the VMP-signature is generated, as that will break it. This is why code-signing of the application needs to happen first since it makes changes to the executable. If the installer executable/msi (or whatever) also needs a signature this should not affect the application executable since it should already be packaged within the installer, but it is really a question about how the packager handles this, and what kind of hooks is available to intercept the process.

[Mgrdich]

@ryankashi by any chance you figured out how it can be done ? cause i am having the exact same issue , little guidance will be fine , @khwaaj if it works out i will create a good documentation for electron forge users :)