electron-builder icon indicating copy to clipboard operation
electron-builder copied to clipboard
verified publisher icon electron-userland

fix: generate stubExecutableExe and sign it

Open beyondkmp opened this issue 10 months ago • 20 comments

fix https://github.com/electron-userland/electron-builder/issues/8952

Root Cause

when createExecutableStubForExe is executed, WriteZipToSetup writes information to the file, essentially creating a new file, which invalidates the original signature. Image

https://github.com/Squirrel/Squirrel.Windows/blob/51f5e2cb01add79280a53d51e8d0cfa20f8c9f9f/src/Update/Program.cs#L633-L647

Image

How to fix Apply a patch to the Squirrel Windows source code(https://github.com/Squirrel/Squirrel.Windows/pull/1903). For the existing stub exe files, don't generate them anymore. Then, a new stub exe can be generated in Electron Builder and signed.

beyondkmp avatar Mar 14 '25 08:03 beyondkmp

🦋 Changeset detected

Latest commit: afa051372c26832e3644a7e91e061fad4702c979

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 8 packages
Name Type
electron-builder-squirrel-windows Patch
app-builder-lib Patch
dmg-builder Patch
electron-builder Patch
electron-forge-maker-appimage Patch
electron-forge-maker-nsis-web Patch
electron-forge-maker-nsis Patch
electron-forge-maker-snap Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

changeset-bot[bot] avatar Mar 14 '25 08:03 changeset-bot[bot]

~Seems to fail to build at least for ARM64 package: https://github.com/element-hq/element-desktop/actions/runs/13895690921/job/38875908510?pr=2211~ looks like my testing is insufficient, doesn't bring in the vendor dir - looks like patch-package doesn't support binary files https://github.com/ds300/patch-package/issues/193

t3chguy avatar Mar 17 '25 09:03 t3chguy

Looks like package.json files needs updating to include vendor dir

t3chguy avatar Mar 17 '25 09:03 t3chguy

image

Looks like it works sans the package.json not including vendor in the package - good job @beyondkmp

I also checked that the number of signings remained the same

t3chguy avatar Mar 17 '25 10:03 t3chguy

the squirrel windows target/package must be installed separately and isn't part of the electron-builder dependency tree, right?

Yup, electron-builder-squirrel-windows https://www.npmjs.com/package/electron-builder-squirrel-windows is not a transitive dependency of electron-builder

t3chguy avatar Mar 17 '25 22:03 t3chguy

Looks like package.json files needs updating to include vendor dir

my bad. Added.

beyondkmp avatar Mar 18 '25 02:03 beyondkmp

These vendor files are copied from the GitHub Actions workflow at https://github.com/beyondkmp/Squirrel.Windows/actions/runs/13871759240/job/38819263248 and the other files(like 7zip,nuget) are copiled from https://github.com/electron/windows-installer/tree/main/vendor.

https://github.com/Squirrel/Squirrel.Windows/pull/1903/files The code changes for Squirrel Windows are located here.

beyondkmp avatar Mar 18 '25 02:03 beyondkmp

@beyondkmp / @mmaietta any update here?

t3chguy avatar Apr 02 '25 16:04 t3chguy

@t3chguy We hope that the upstream will merge this MR (https://github.com/Squirrel/Squirrel.Windows/pull/1903/files ) so that an official upstream version of the Squirrel Windows vendor can be released. However, it seems that there has been no activity from the upstream.

beyondkmp avatar Apr 03 '25 07:04 beyondkmp

@mmaietta Do you have any thoughts on this MR?

beyondkmp avatar Apr 03 '25 07:04 beyondkmp

So a couple notes:

  • I'm very adverse to committing binaries to this repo for tools that are meant to be downloaded on-demand (product requirement 1). They unnecessarily bloat the repo size - especially the size of the binaries this PR proposes to add.
  • I'm against not using official sources for binaries (product requirement 2)

In the current state, I'm not in favor of merging this PR.

@beyondkmp, what if I wrote a script that git clone Squirrel.Windows, applied your PR via a patch file (similar to how electron does when building from chromium), then published within the electron-builder-binaries repo? I'm thinking I need to revisit that repo to get binaries updated, but through an official always-reproducible GH action/build environment.

mmaietta avatar Apr 10 '25 23:04 mmaietta

@mmaietta I think it’s fine. I’ve already cloned it, and it can run successfully on GitHub Actions, and the build completes without issues. You can refer to this directly.

https://github.com/beyondkmp/Squirrel.Windows

beyondkmp avatar Apr 11 '25 00:04 beyondkmp

@beyondkmp if we were to use Squirrel.Windows distributed via electron-builder-binaries (once I get a CI/CD set up there), do you think we'd need to revert the electron-winstaller changes back to the previous implementation then?

mmaietta avatar Apr 11 '25 18:04 mmaietta

It probably won't work well, as the newer version of Squirrel Windows has changed some things. My suggestion is still to use the Windows Installer. When there’s a new version, it can be synced directly. If we use our own implementation, some issues may not be synced in time.

beyondkmp avatar Apr 13 '25 02:04 beyondkmp

You can refer to this directly. https://github.com/beyondkmp/Squirrel.Windows

I'm against using a fork for the project.

I'd rather git clone the source repo in a build container, apply your changes as a patch file, then build the artifact fresh for Squirrel.Windows within the build container/runner, which then would be published directly from electron-builder-binaries. (I actually have this approach ready in my current work on the electron-builder-binaries CI pipeline) Is it possible to provide our own vendor dir for electron-winstaller? And/or leverage our own signing flow or something like that?

If changes are needed in a dedicated electron/* repo, I can definitely sync up with the electronHQ folks to discuss the topic live during one of our biweekly syncs

mmaietta avatar Apr 17 '25 19:04 mmaietta

What I mean is that you can refer to how this fork uses actions to automatically generate builds, rather than saying that you should use this fork directly.

beyondkmp avatar Apr 17 '25 23:04 beyondkmp

The purpose of electron-builder-binaries is to provide vendor files on-demand based on the use-case/packaging targets required for a build. I'm against committing any vendor files to this project directly. Willing to make exceptions though, just not for files that are measured in megabytes

mmaietta avatar Apr 18 '25 16:04 mmaietta

The purpose of electron-builder-binaries is to provide vendor files on-demand based on the use-case/packaging targets required for a build. I'm against committing any vendor files to this project directly. Willing to make exceptions though, just not for files that are measured in megabytes

ok, got it. I'll set it to draft status first, and once the Squirrel.Windows update in electron-builder-binaries is complete, we can come back to update this PR.

beyondkmp avatar Apr 21 '25 02:04 beyondkmp

@beyondkmp new squirrel.windows in electron-builder-binaries with your patch applied can be found in this "compile" PR. (The CI/CD takes care of generating and committing the artifacts post-merge of the PR through Changesets GHA) https://github.com/electron-userland/electron-builder-binaries/pull/67

mmaietta avatar May 21 '25 05:05 mmaietta

[email protected] using Squirrel 2.0.1 artifact has been released

mmaietta avatar May 23 '25 17:05 mmaietta

Hey @beyondkmp - any light at the end of this tunnel?

t3chguy avatar Jul 16 '25 08:07 t3chguy

@mmaietta Please help review again when you have a chance.

beyondkmp avatar Jul 17 '25 06:07 beyondkmp