electron-builder
electron-builder copied to clipboard
electron-userland
Planning to remove the use of PowerShell to verify updates? Execution of powershell.exe fails due to Anti-virus software, Software Restriction Policies (SRP), and general misconfiguration of machines
- Electron-Builder Version: 23.3.3
- Electron-Updater Version: 5.2.2
- Node Version: 16.5.0
- Electron Version: 20.1.0
- Electron Type (current, beta, nightly): current
- Target: windows
Hi,
electron-updater has been using powershell.exe to verify the signature of the downloaded update for a long time. The app I am working on is being used by multiple users and companies for a long time now and we have telemetry for updater failures. Failures to start powershell.exe have always been present to some extent, even though it works for most users. The failure rate has been small enough to ignore for a long time, but it is always there. Occasionally some enterprise customers would complain from their anti-virus blocking the execution of powershell.exe, or their SRP policies blocking it, or our telemetry would show that powershell failed to execute for various reasons.
I am filing this ticket not to get a recommendation to do manual rollouts, or to disable certificate validation, or otherwise to avoid the issue. This ticket is to ask if there are plans and request if possible to replace the execution of powershell.exe with calling Win32 APIs directly. This should make the update process friendlier to large companies and should increase the success rate of the updates.
There is the CryptQueryObject() API (example https://docs.microsoft.com/en-US/troubleshoot/windows/win32/get-information-authenticode-signed-executables), which is deprecated, but should still be a better option than launching powershell.exe.
The replacement API is Cryptography API: Next Generation, but I don't find an example of checking the code signing certificate of a file.
Thanks, Ivan
Alternatively, maybe electron-updater can allow apps to install a custom callback function for the certificate verification of the downloaded update? This way apps can provide their own implementation, thus suppressing the default one with powershell.
Hi @ivanggq, I'm the sole maintainer here and don't have any plans for calling win32 api's directly (nor am familiar with them). If you're willing, I'd love it if you could contribute to the codebase! That way the broader community could leverage your work, as opposed to a callback function approach. 🙂 Setting up a dev environment is fairly simple as well. https://github.com/electron-userland/electron-builder/blob/master/CONTRIBUTING.md#to-setup-a-local-dev-environment
