Support for Azure Trusted Signing in Electron Builder

[iliakolev]

• Electron-Builder Version: 24.13.3

• Node Version: 18.16.0

• Electron Version: 31.0.2
• Electron Type (current, beta, nightly): electron-updater: 6.2.1

• Target: Windows

I'm inquiring about the possibility of integrating Azure Trusted Signing within the Electron Builder workflow. Currently, my build process involves:

1. Signing the executable using the azure/trusted-signing-action@v0.3.20 GitHub Action.
2. Packaging and releasing the signed executable, ensuring auto-update functionality with s3 provider.

If you could provide guidance on how to integrate Azure Trusted Signing more seamlessly with Electron Builder or if there are plans to support this in the future, it would be greatly appreciated.

Thank you for your time and assistance.

[mmaietta]

I guess a lot of those powershell commands could be copy-pasted/translated into electron-builder's signing workflow, but if any updates happen to that github action, they won't be propagated into electron-builder without someone opening an issue here. Would that be a problem?

[jmeinke]

We're also interested in this. There is a nice guide for implementation of trusted EV code signing using Azure here: https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/

Basically, we'd need to call the action multiple times:

1. on the executable files after they have been built
2. on the installer executable after everything has been packaged in

Currently, it seems that steps 1 and 2 are done in one action and therefore it's not possible to execute code signing after each of the steps using the GitHub action, right?

[MikeJerred]

From the github action code it looks like a powershell script that installs the TrustedSigning module and then invokes it with appropriate params is all that is required:

Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery
Invoke-TrustedSigning @params

This should be possible to add to electron-builder with some extra env vars?

[mmaietta]

I quickly put together a basic copy of the action code for an afterSign hook, which maybe you'd be able to test with.

Basically, we skip the signing stage for the regular signing process. Instead, we leverage the afterSign for running the powershell commands.

Would you be willing to do some investigating from there? Not sure if the params need to be passed in as a var or as a literal string. I don't have any azure account to test this myself

// electron-builder-config.ts
import { AfterPackContext, Configuration } from "app-builder-lib"
import { CustomWindowsSignTaskConfiguration } from "app-builder-lib/out/codeSign/windowsCodeSign"
import { WinPackager } from "app-builder-lib/out/winPackager"
import { execFile } from "child_process"

// Configuration object
export default {
     // base configuration
     win: {
        // block signing
        sign: (_configuration: CustomWindowsSignTaskConfiguration, _packager: WinPackager | undefined) => {
            return Promise.resolve()
        }
    },
    afterSign: async (context: AfterPackContext) => {
        await new Promise((resolve, reject) => execFile(
            `chcp 65001 >NUL & powershell.exe`,
            ["-Name", "TrustedSigning", "-RequiredVersion", "0.4.1", "-Force", "-Repository", "PSGallery",],
            {
                shell: true,
                timeout: 60 * 1000,
            },
            (error, stdout, stderr) => {
                if (error || stderr) {
                    reject(error?.message || stderr)
                }
                resolve(stdout)
            }
        ))

        // requires the following env vars also set:
        // AZURE_TENANT_ID
        // AZURE_CLIENT_ID
        // AZURE_CLIENT_SECRET
        // AZURE_CLIENT_CERTIFICATE_PATH
        // AZURE_CLIENT_SEND_CERTIFICATE_CHAIN
        // AZURE_USERNAME
        // AZURE_PASSWORD

        const params: any = {}
        // Variables you can define
        const trustedSigningAccountName = undefined
        const certificateProfileName = undefined
        const files = undefined
        const filesFolder = undefined
        const filesFolderFilter = undefined
        const filesFolderRecurse = false // boolean
        const filesFolderDepth = undefined // integer
        const filesCatalog = undefined
        const fileDigest = undefined
        const timestampRfc3161 = undefined
        const timestampDigest = undefined
        const appendSignature = false // boolean
        const description = undefined
        const descriptionUrl = undefined
        const generateDigestPath = undefined
        const generateDigestXml = false // boolean
        const ingestDigestPath = undefined
        const signDigest = false // boolean
        const generatePageHashes = false // boolean
        const suppressPageHashes = false // boolean
        const generatePkcs7 = false // boolean
        const pkcs7Options = undefined
        const pkcs7Oid = undefined
        const enhancedKeyUsage = undefined
        const excludeEnvironmentCredential = false // boolean
        const excludeWorkloadIdentityCredential = false // boolean
        const excludeManagedIdentityCredential = false // boolean
        const excludeSharedTokenCacheCredential = false // boolean
        const excludeVisualStudioCredential = false // boolean
        const excludeVisualStudioCodeCredential = false // boolean
        const excludeAzureCliCredential = false // boolean
        const excludeAzurePowerShellCredential = false // boolean
        const excludeAzureDeveloperCliCredential = false // boolean
        const excludeInteractiveBrowserCredential = false // boolean
        const timeout = undefined // integer
        const batchSize = undefined // integer

        const notNullOrEmptyString = (value: any) => {
            if (typeof value === 'string') {
                return value.trim().length !== 0
            }
            return value !== undefined || value !== null
        }
        if (notNullOrEmptyString(trustedSigningAccountName)) {
            params.CodeSigningAccountName = trustedSigningAccountName
        }
        if (notNullOrEmptyString(certificateProfileName)) {
            params.CertificateProfileName = certificateProfileName
        }
        if (notNullOrEmptyString(files)) {
            params.Files = files
        }
        if (notNullOrEmptyString(filesFolder)) {
            params.FilesFolder = filesFolder
        }
        if (notNullOrEmptyString(filesFolderFilter)) {
            params.FilesFolderFilter = filesFolderFilter
        }
        if (notNullOrEmptyString(filesFolderRecurse)) {
            params.FilesFolderRecurse = filesFolderRecurse // boolean
        }
        if (notNullOrEmptyString(filesFolderDepth)) {
            params.FilesFolderDepth = filesFolderDepth // integer
        }
        if (notNullOrEmptyString(filesCatalog)) {
            params.FilesCatalog = filesCatalog
        }
        if (notNullOrEmptyString(fileDigest)) {
            params.FileDigest = fileDigest
        }
        if (notNullOrEmptyString(timestampRfc3161)) {
            params.TimestampRfc3161 = timestampRfc3161
        }
        if (notNullOrEmptyString(timestampDigest)) {
            params.TimestampDigest = timestampDigest
        }
        if (notNullOrEmptyString(appendSignature)) {
            params.AppendSignature = appendSignature // boolean
        }
        if (notNullOrEmptyString(description)) {
            params.Description = description
        }
        if (notNullOrEmptyString(descriptionUrl)) {
            params.DescriptionUrl = descriptionUrl
        }
        if (notNullOrEmptyString(generateDigestPath)) {
            params.GenerateDigestPath = generateDigestPath
        }
        if (notNullOrEmptyString(generateDigestXml)) {
            params.GenerateDigestXml = generateDigestXml // boolean
        }
        if (notNullOrEmptyString(ingestDigestPath)) {
            params.IngestDigestPath = ingestDigestPath
        }
        if (notNullOrEmptyString(signDigest)) {
            params.SignDigest = signDigest // boolean
        }
        if (notNullOrEmptyString(generatePageHashes)) {
            params.GeneratePageHashes = generatePageHashes // boolean
        }
        if (notNullOrEmptyString(suppressPageHashes)) {
            params.SuppressPageHashes = suppressPageHashes // boolean
        }
        if (notNullOrEmptyString(generatePkcs7)) {
            params.GeneratePkcs7 = generatePkcs7 // boolean
        }
        if (notNullOrEmptyString(pkcs7Options)) {
            params.Pkcs7Options = pkcs7Options
        }
        if (notNullOrEmptyString(pkcs7Oid)) {
            params.Pkcs7Oid = pkcs7Oid
        }
        if (notNullOrEmptyString(enhancedKeyUsage)) {
            params.EnhancedKeyUsage = enhancedKeyUsage
        }
        if (notNullOrEmptyString(excludeEnvironmentCredential)) {
            params.ExcludeEnvironmentCredential = excludeEnvironmentCredential // boolean
        }
        if (notNullOrEmptyString(excludeWorkloadIdentityCredential)) {
            params.ExcludeWorkloadIdentityCredential = excludeWorkloadIdentityCredential // boolean
        }
        if (notNullOrEmptyString(excludeManagedIdentityCredential)) {
            params.ExcludeManagedIdentityCredential = excludeManagedIdentityCredential // boolean
        }
        if (notNullOrEmptyString(excludeSharedTokenCacheCredential)) {
            params.ExcludeSharedTokenCacheCredential = excludeSharedTokenCacheCredential // boolean
        }
        if (notNullOrEmptyString(excludeVisualStudioCredential)) {
            params.ExcludeVisualStudioCredential = excludeVisualStudioCredential // boolean
        }
        if (notNullOrEmptyString(excludeVisualStudioCodeCredential)) {
            params.ExcludeVisualStudioCodeCredential = excludeVisualStudioCodeCredential // boolean
        }
        if (notNullOrEmptyString(excludeAzureCliCredential)) {
            params.ExcludeAzureCliCredential = excludeAzureCliCredential // boolean
        }
        if (notNullOrEmptyString(excludeAzurePowerShellCredential)) {
            params.ExcludeAzurePowerShellCredential = excludeAzurePowerShellCredential // boolean
        }
        if (notNullOrEmptyString(excludeAzureDeveloperCliCredential)) {
            params.ExcludeAzureDeveloperCliCredential = excludeAzureDeveloperCliCredential // boolean
        }
        if (notNullOrEmptyString(excludeInteractiveBrowserCredential)) {
            params.ExcludeInteractiveBrowserCredential = excludeInteractiveBrowserCredential // boolean
        }
        if (notNullOrEmptyString(timeout)) {
            params.Timeout = timeout // integer
        }
        if (notNullOrEmptyString(batchSize)) {
            params.BatchSize = batchSize // integer
        }
        await new Promise((resolve, reject) => execFile(
            `chcp 65001 >NUL & powershell.exe`,
            ["Invoke-TrustedSigning", params],
            {
                shell: true,
                timeout: 60 * 1000,
            },
            (error, stdout, stderr) => {
                if (error || stderr) {
                    reject(error?.message || stderr)
                }
                resolve(stdout)
            }
        ))
    },
}

[MikeJerred]

Can confirm that this approach works! Here is what I ended up using:

electron-builder.yml:

...
afterSign: ./scripts/after-sign.js

win:
  sign: ./scripts/nop.js

scripts/after-sign.js:

const { spawnSync } = require('node:child_process');

exports.default = async function sign(context) {
  spawnSync(
    'powershell.exe',
    ['Install-Module', '-Name', 'TrustedSigning', '-RequiredVersion', '0.4.1', '-Force', '-Repository', 'PSGallery'],
    { shell: true, stdio: 'inherit' },
  );

  const params = {
    Endpoint: 'https://eus.codesigning.azure.net/',
    CodeSigningAccountName: '<code signing account name>',
    CertificateProfileName: '<certificate profile name>',
    FilesFolder: context.appOutDir,
    FilesFolderFilter: 'exe,dll',
    FileDigest: 'SHA256',
    TimestampRfc3161: 'http://timestamp.acs.microsoft.com',
    TimestampDigest: 'SHA256',
  };
  spawnSync('powershell.exe', ['Invoke-TrustedSigning', params], { shell: true, stdio: 'inherit' });
};

scripts/nop.js:

exports.default = async function nop() {};

[jmeinke]

@MikeJerred Wouldn't your proposed solution result in only the packaged executables being signed, not the installer (e.g. NSIS executable file) that results from the packaging process? It seems that the after-sign.js is not executed after the installer has been compiled.

Another problem I've spotted: When testing your script, I received the following output + Invoke-TrustedSigning [object Object] plus an error about missing mandatory parameters. It seems to me that passing a compiled string might work better (but still have to test it myself):

    const paramsString = Object.keys(params).map(key => ` -${key} ${params[key]}`).join('');
    spawnSync('powershell.exe', ['Invoke-TrustedSigning', paramsString], { shell: true, stdio: 'inherit' });

[OrganicChem]

I just received confirmation from MS that I have approval for the trusted signing cert. Based on some of the above hacks, I may have to skip Windows signing and use a signtool manually since installers as well as app needs to be signed.

[jmeinke]

Signing the installer after the electron-builder packing process during and extra build step results in wrong sha512 hashes in the resulting update YAML files.

[OrganicChem]

I've managed to get this signed with my own script during the build...all executables checkout out nicely. Gone are the days of EV certs.

[mmaietta]

I'm looking into implementing this in electron-builder, but won't have a way to test (as I don't have any Azure account). So if anyone is willing, I'd be happy to supply a patch-package patch for testing out my implementation.

What are the required params for Invoke-TrustedSigning?
Just these?

  const params = {
    Endpoint: 'https://eus.codesigning.azure.net/',
    CodeSigningAccountName: '<code signing account name>',
    CertificateProfileName: '<certificate profile name>',
    FilesFolder: context.appOutDir,
    FilesFolderFilter: 'exe,dll',
    FileDigest: 'SHA256',
    TimestampRfc3161: 'http://timestamp.acs.microsoft.com',
    TimestampDigest: 'SHA256',
  };

I also see this example configuration here: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations

  "Endpoint": "<Trusted Signing account endpoint>",
  "CodeSigningAccountName": "<Trusted Signing account name>",
  "CertificateProfileName": "<Certificate profile name>",

Reason I ask is to see if there are any default values I can apply or using enums (for things like TimestampDigest) where it probably doesn't have to be a basic string property.

[MikeJerred]

I'm looking into implementing this in electron-builder, but won't have a way to test (as I don't have any Azure account). So if anyone is willing, I'd be happy to supply a patch-package patch for testing out my implementation.

What are the required params for Invoke-TrustedSigning? Just these?

  const params = {
    Endpoint: 'https://eus.codesigning.azure.net/',
    CodeSigningAccountName: '<code signing account name>',
    CertificateProfileName: '<certificate profile name>',
    FilesFolder: context.appOutDir,
    FilesFolderFilter: 'exe,dll',
    FileDigest: 'SHA256',
    TimestampRfc3161: 'http://timestamp.acs.microsoft.com',
    TimestampDigest: 'SHA256',
  };

I also see this example configuration here: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations

  "Endpoint": "<Trusted Signing account endpoint>",
  "CodeSigningAccountName": "<Trusted Signing account name>",
  "CertificateProfileName": "<Certificate profile name>",

Reason I ask is to see if there are any default values I can apply or using enums (for things like TimestampDigest) where it probably doesn't have to be a basic string property.

I am happy to help with testing. Those params (plus the azure auth env vars) were enough for the signing to complete without errors when I tried it.

[mmaietta]

Okay, nvm, the patch is too large. My best recommendation is cloning electron-builder, pulling this PR #8458 via gh pr checkout 8458 or checkout branch azure-signing, compile with pnpm compile, and copy the compiled files into your project directly.
Example setup: https://github.com/electron-userland/electron-builder/blob/master/CONTRIBUTING.md#to-setup-a-local-dev-environment

From there, the configuration is within win.azureOptions (other name suggestions are welcome). I took the minimal required fields I could find in the Azure docs, then left it open with [k: string]: string for custom usage scenarios

electron-builder/packages/app-builder-lib/src/options/winOptions.ts

Lines 178 to 202 in 0d24b78

	export interface WindowsAzureSigningConfiguration {
	/**
	* The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the
	* region your Trusted Signing Account and Certificate Profile you are specifying were created
	* in during the setup of these resources.
	*
	* Requires the following environment variables to be set:
	* AZURE_TENANT_ID
	* AZURE_CLIENT_ID
	* AZURE_CLIENT_SECRET
	* AZURE_CLIENT_CERTIFICATE_PATH
	* AZURE_CLIENT_SEND_CERTIFICATE_CHAIN
	* AZURE_USERNAME
	* AZURE_PASSWORD
	*/
	readonly Endpoint: string
	/**
	* The Certificate Profile name.
	*/
	readonly CertificateProfileName: string
	/**
	* Allow other CLI parameters (verbatim) to `Invoke-TrustedSigning`
	*/
	[k: string]: string
	}