electron-builder icon indicating copy to clipboard operation
electron-builder copied to clipboard
verified publisher icon electron-userland

Certificates with special characters are not accepted anymore since electron-updater v1.6.9

Open Simolation opened this issue 1 year ago • 4 comments

  • Electron-Builder Version: 24.13.3
  • Node Version: v20.11.1
  • Electron Version: 29.1.6
  • Electron Type (current, beta, nightly): current
  • Electron Updater: 6.2.1 (last working version is 6.1.8)
  • Target: Windows

I am using electron-builder to build macOS and Windows builds of our application. I was on electron-updater 6.1.8 and updated to 6.1.9 a couple of weeks ago and everything worked fine. Now we wanted to release another update for Windows, and then we discovered that the electron-updater does not accept updates using our Sectigo Code Signing certificate (which did not change!) as it contains a German special character (ä) due to our legal name (Company name UG (haftungsbeschränkt). So all customers who have the version using electron-updater 6.1.9 won't be able to automatically update our application.

I tried multiple different things and figured out that in 6.1.8 the certificate was accepted as usual and starting from 6.1.9 until the latest version, 6.2.1, it does not accept the certificate anymore.

When the auto-updater is run, I get the following log outputs: 2024-03-31 13-05-09@2x 2024-03-31 13-07-25@2x

I tried everything I could imagine. The Windows Version does not matter, the OS language is not a problem, I tried the PowerShell commands which return the certificate information from the electron-updater source code, but everything seems correct.

Now I have to figure out how to notify our customers to manually update the application on all devices...

Simolation avatar Mar 31 '24 11:03 Simolation

So the only change between 6.1.8 and 6.1.9 that's related to signing verification is this diff https://github.com/electron-userland/electron-builder/compare/[email protected]@6.1.9#diff-91fab3cd539f30ee3e335abd198fa27b33da0d3c19672f5e374cbc130b7010ea It fixes this issue: https://github.com/electron-userland/electron-builder/issues/7127

Can you copy-paste your full issuer DN (or sample DN with your special characters) and I can create a unit test for this. Electron-builder already has multiple unit tests for signature validation and it was added to codesigning unit test CI node, but it doesn't verify special characters. I'll need to create a self-signed cert locally with the special characters provided to repro your issue

As with all electron-updater version changes, it is highly advised to be tested internally before deploying to users. This is a necessary element of any release process.

mmaietta avatar Apr 04 '24 16:04 mmaietta

Yeah, I already looked into the diffs and I also ran both PowerShell commands with the signed installer, and it seemingly produced the same output. The certificate has not changed, also the Windows Version is the same. The Windows executable is built on a Mac, but also the Mac has not changed and when reverting back to 6.1.8 it was working again. So that's the strange part.

A full DN similar to our Company name would be: C=DE S=Bavaria L=Munich O=Company UG (haftungsbeschränkt) CN=Company UG (haftungsbeschränkt)

Also quite common German special characters are äüöß. So, for example, CN=Müller GmbH, or CN=Möbel AG

Simolation avatar Apr 04 '24 20:04 Simolation

Sounds good, I'll try and repro this locally on my arm64 windows VM. Currently swamped with work though

mmaietta avatar Apr 04 '24 22:04 mmaietta

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Jun 04 '24 00:06 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity.

github-actions[bot] avatar Jul 04 '24 00:07 github-actions[bot]

facing the same issue after updating electron-updater beyond 6.1.8

ckarich avatar Aug 09 '24 09:08 ckarich

i fiddled a little bit around and found out that we need to run chcp 65001 first, before emptying the PSModulePath env variable .. i will try to contribute the according change so instead of

    execFile(
      `set "PSModulePath="; chcp 65001 >NUL & powershell.exe`,
      ["-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `"Get-AuthenticodeSignature -LiteralPath '${tempUpdateFile}' | ConvertTo-Json -Compress"`],
      {
        shell: true,
        timeout: 20 * 1000,
      },
      ....

it should be

    execFile(
      "chcp 65001 >NUL & set PSModulePath= & powershell.exe",
      ["-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `"Get-AuthenticodeSignature -LiteralPath '${tempUpdateFile}' | ConvertTo-Json -Compress"`],
      {
        shell: true,
        timeout: 20 * 1000,
      },

ckarich avatar Aug 09 '24 11:08 ckarich

the issue is most likely the ; which is not feaible to concat a set-command in windows with another one since ; can be used as part of the string for the variable to set .. (a good example would be setting PATH like set PATH=%PATH%;c:\newfolder

so by passing set "PSModulePath="; chcp 65001 >NUL & powershell.exe to execFile() it wont run the "command" between ; and & .. but rather unset PSMOdulePath envvar .. ignoring everything after the ; and then run powershell.exe ..

so a more clever fix would be to change set "PSModulePath="; chcp 65001 >NUL & powershell.exe to set "PSModulePath=" & chcp 65001 >NUL & powershell.exe

ckarich avatar Aug 09 '24 12:08 ckarich