Concurrency-bug when signing in GitHub Action

[OlaAlsaker]

• Electron-Builder Version: 26.0.0-alpha.3

• Node Version: v20

• Electron Version: ^28.0.0
• Electron Type (current, beta, nightly):

• Target: Windows

In my use-case, I have an Electron app with multiple .exe-resources, and I want to sign my app with Azure Trusted Signing inside of a GitHub Action.

This does however lead to an error:

Install-Package: Package 'Microsoft.Trusted.Signing.Client' failed to be installed because: The process cannot access the file
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\Azure.CodeSigning.Dlib.dll' because it is being used by another process.

The reason for this is pretty simple: electron-builder signs multiple files at the same time by default. Since we are running this inside of a GitHub Action, we need to install the TrustedSigning module each time we run the Action.

electron-builder/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts

Line 21 in 74d98d8

await vm.exec(ps, ["-NoProfile", "-NonInteractive", "-Command", "Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser"])

But since this installation-code is run on every sign (with Azure Trusted Signing), it means that it will run once for every file (in my case, 4 files) at the same time, meaning we will try to install the module 4 times at once. NuGet does not like this, and therefore throws an exception, making all the signing-processes fail.

Solution

As a test, I tried to monkey-patch these parts of app-builder-lib:

electron-builder/packages/app-builder-lib/src/winPackager.ts

Lines 270 to 283 in 74d98d8

	await BluebirdPromise.map(readdir(packContext.appOutDir), (file: string): any => {
	if (file === exeFileName) {
	return this.signAndEditResources(
	path.join(packContext.appOutDir, exeFileName),
	packContext.arch,
	packContext.outDir,
	path.basename(exeFileName, ".exe"),
	this.platformSpecificBuildOptions.requestedExecutionLevel
	)
	} else if (this.shouldSignFile(file)) {
	return this.sign(path.join(packContext.appOutDir, file))
	}
	return null
	})

electron-builder/packages/app-builder-lib/src/winPackager.ts

Lines 289 to 294 in 74d98d8

	const filesPromise = (filepath: string[]) => {
	const outDir = path.join(packContext.appOutDir, ...filepath)
	return walk(outDir, (file, stat) => stat.isDirectory() || this.shouldSignFile(file))
	}
	const filesToSign = await Promise.all([filesPromise(["resources", "app.asar.unpacked"]), filesPromise(["swiftshader"])])
	await BluebirdPromise.map(filesToSign.flat(1), file => this.sign(file), { concurrency: 4 })

I changed the code and made it await every this.sign – and that solved all my problems! 😄

NOTE! I also tried to change concurrency to 1, but that did not work.

I suppose there are multiple solutions to this, and I don't know which is best really.

Possible solutions

1. Add an option in configuration to disable concurrency in signing and implement this behavior
2. In Azure Trusted Signing, make sure that the initializeProviderModules is only run one time before the signing-processes start
3. Disable concurrency in signing by default

[mmaietta]

Are you seeing "installing required module (TrustedSigning) with scope CurrentUser" multiple times in the logs?

The azureSignManager is a Lazy var that is already a promise, so it only resolves once and I thought would only be executing this code once

  readonly azureSignManager = new Lazy(() =>
    Promise.resolve(new WindowsSignAzureManager(this)).then(async manager => {
      await manager.initializeProviderModules()
      return manager
    })
  )

[OlaAlsaker]

Yes, you are actually right. This message is only logged once:

installing required module (TrustedSigning) with scope CurrentUser

Then I assume that it is the pwsh.exe that automatically installs some missing packages:

  • identified pwsh.exe for executing code signing
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.20\win-ia32-unpacked\OpusComm.exe"
  • Above command failed, retrying 3 more times
  ⨯ Exit code: 1. Command failed: pwsh.exe -NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.20\win-ia32-unpacked\Opus.DentalInfoIntegration.Client.exe"
Install-Package: Package 'Microsoft.Trusted.Signing.Client' failed to be installed because: The process cannot access the file
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\Azure.CodeSigning.Dlib.dll' because it is being used by another process.
MethodInvocationException: Exception calling "WriteAllLines" with "2" argument(s): "The requested operation cannot be performed on a file with a
user-mapped section open. :
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\metadata.json'"
Exception: SignTool failed with exit code 3

... and because pwsh.exe is ran 4 times at once, it will try to install the missing package(s) 4 times at once. So an option for disabling concurrency is probably the only solution then 😄

[mmaietta]

So it looks like there's a way to provide multiple files to the azure signing command. https://marketplace.visualstudio.com/items?itemName=VisualStudioClient.TrustedSigning

# A comma or newline separated list of absolute paths to the files being signed. Can be combined with the FilesFolder and FileCatalog inputs.
Files: '$(Build.SourcesDirectory)\files\app.dll,$(Build.SourcesDirectory)\files\app.exe'

Files: |
  $(Build.SourcesDirectory)\files\app.dll
  $(Build.SourcesDirectory)\files\app.exe

I'll see if I can refactor the signing logic flow for it to all be done all at once for azure signing as opposed to the signtool approach which requires it one at a time.

Would you be willing to try out a patch-package to test locally with your setup? Since Azure doesn't provide free TrustedSigning for open-source projects, I don't have a way to test the full flow on my side.

[mmaietta]

Please give this a shot. It queues all the azure signing files into a final finishSigning function that executes after all the "queued" signing logic has been set

The finishSigning method will also output logs of what files are being signed

log.info({ path: files.map(file => log.filePath(file)) }, "signing files with Azure Trusted Signing (beta)")

Patch file on top of 26-alpha.3
app-builder-lib+26.0.0-alpha.3.patch

diff --git a/node_modules/app-builder-lib/out/codeSign/signManager.js b/node_modules/app-builder-lib/out/codeSign/signManager.js
new file mode 100644
index 0000000..09883b3
--- /dev/null
+++ b/node_modules/app-builder-lib/out/codeSign/signManager.js
@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SignManager = void 0;
+class SignManager {
+    constructor(packager) {
+        this.packager = packager;
+    }
+}
+exports.SignManager = SignManager;
+//# sourceMappingURL=signManager.js.map
\ No newline at end of file
diff --git a/node_modules/app-builder-lib/out/codeSign/windowsCodeSign.js b/node_modules/app-builder-lib/out/codeSign/windowsCodeSign.js
index 8984a84..d405cf4 100644
--- a/node_modules/app-builder-lib/out/codeSign/windowsCodeSign.js
+++ b/node_modules/app-builder-lib/out/codeSign/windowsCodeSign.js
@@ -5,30 +5,31 @@ exports.getPSCmd = getPSCmd;
 const builder_util_1 = require("builder-util");
 async function signWindows(options, packager) {
     if (options.options.azureSignOptions) {
-        builder_util_1.log.info({ path: builder_util_1.log.filePath(options.path) }, "signing with Azure Trusted Signing (beta)");
-        return (await packager.azureSignManager.value).signUsingAzureTrustedSigning(options);
+        builder_util_1.log.info({ path: builder_util_1.log.filePath(options.path) }, "queue file signing with Azure Trusted Signing (beta)");
     }
-    builder_util_1.log.info({ path: builder_util_1.log.filePath(options.path) }, "signing with signtool.exe");
-    const deprecatedFields = {
-        sign: options.options.sign,
-        signDlls: options.options.signDlls,
-        signingHashAlgorithms: options.options.signingHashAlgorithms,
-        certificateFile: options.options.certificateFile,
-        certificatePassword: options.options.certificatePassword,
-        certificateSha1: options.options.certificateSha1,
-        certificateSubjectName: options.options.certificateSubjectName,
-        additionalCertificateFile: options.options.additionalCertificateFile,
-        rfc3161TimeStampServer: options.options.rfc3161TimeStampServer,
-        timeStampServer: options.options.timeStampServer,
-        publisherName: options.options.publisherName,
-    };
-    const fields = Object.entries(deprecatedFields)
-        .filter(([, value]) => !!value)
-        .map(([field]) => field);
-    if (fields.length) {
-        builder_util_1.log.warn({ fields, reason: "please move to win.signtoolOptions.<field_name>" }, `deprecated field`);
+    else {
+        builder_util_1.log.info({ path: builder_util_1.log.filePath(options.path) }, "signing with signtool.exe");
+        const deprecatedFields = {
+            sign: options.options.sign,
+            signDlls: options.options.signDlls,
+            signingHashAlgorithms: options.options.signingHashAlgorithms,
+            certificateFile: options.options.certificateFile,
+            certificatePassword: options.options.certificatePassword,
+            certificateSha1: options.options.certificateSha1,
+            certificateSubjectName: options.options.certificateSubjectName,
+            additionalCertificateFile: options.options.additionalCertificateFile,
+            rfc3161TimeStampServer: options.options.rfc3161TimeStampServer,
+            timeStampServer: options.options.timeStampServer,
+            publisherName: options.options.publisherName,
+        };
+        const fields = Object.entries(deprecatedFields)
+            .filter(([, value]) => !!value)
+            .map(([field]) => field);
+        if (fields.length) {
+            builder_util_1.log.warn({ fields, reason: "please move to win.signtoolOptions.<field_name>" }, `deprecated field`);
+        }
     }
-    return (await packager.signtoolManager.value).signUsingSigntool(options);
+    return (await packager.signManager).signUsingTool(options);
 }
 async function getPSCmd(vm) {
     return await vm
diff --git a/node_modules/app-builder-lib/out/codeSign/windowsSignAzureManager.js b/node_modules/app-builder-lib/out/codeSign/windowsSignAzureManager.js
index c150786..9ab481d 100644
--- a/node_modules/app-builder-lib/out/codeSign/windowsSignAzureManager.js
+++ b/node_modules/app-builder-lib/out/codeSign/windowsSignAzureManager.js
@@ -3,9 +3,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.WindowsSignAzureManager = void 0;
 const builder_util_1 = require("builder-util");
 const windowsCodeSign_1 = require("./windowsCodeSign");
-class WindowsSignAzureManager {
+const signManager_1 = require("./signManager");
+class WindowsSignAzureManager extends signManager_1.SignManager {
     constructor(packager) {
-        this.packager = packager;
+        super(packager);
+        this.filesToSign = new Set();
     }
     async initializeProviderModules() {
         const vm = await this.packager.vm.value;
@@ -66,18 +68,24 @@ class WindowsSignAzureManager {
         }
         return true;
     }
+    signUsingTool(options) {
+        this.filesToSign.add(options.path);
+        return Promise.resolve(true);
+    }
     // prerequisite: requires `initializeProviderModules` to already have been executed
-    async signUsingAzureTrustedSigning(options) {
+    async finishSigning() {
         const vm = await this.packager.vm.value;
         const ps = await (0, windowsCodeSign_1.getPSCmd)(vm);
-        const { endpoint, certificateProfileName, codeSigningAccountName, ...extraSigningArgs } = options.options.azureSignOptions;
+        const { endpoint, certificateProfileName, codeSigningAccountName, ...extraSigningArgs } = this.packager.platformSpecificBuildOptions.azureSignOptions;
+        const files = Array.from(this.filesToSign);
+        builder_util_1.log.info({ path: files.map(file => builder_util_1.log.filePath(file)) }, "signing files with Azure Trusted Signing (beta)");
         const params = {
             FileDigest: "SHA256",
             ...extraSigningArgs, // allows overriding FileDigest if provided in config
             Endpoint: endpoint,
             CertificateProfileName: certificateProfileName,
             CodeSigningAccountName: codeSigningAccountName,
-            Files: `"${options.path}"`,
+            Files: `"${files.join(",")}"`,
         };
         const paramsString = Object.entries(params)
             .reduce((res, [field, value]) => {
diff --git a/node_modules/app-builder-lib/out/codeSign/windowsSignToolManager.js b/node_modules/app-builder-lib/out/codeSign/windowsSignToolManager.js
index 53f4c55..2c8b573 100644
--- a/node_modules/app-builder-lib/out/codeSign/windowsSignToolManager.js
+++ b/node_modules/app-builder-lib/out/codeSign/windowsSignToolManager.js
@@ -18,11 +18,13 @@ const windowsCodeSign_1 = require("./windowsCodeSign");
 const builder_util_runtime_1 = require("builder-util-runtime");
 const lazy_val_1 = require("lazy-val");
 const codesign_1 = require("./codesign");
+const signManager_1 = require("./signManager");
 function getSignVendorPath() {
     return (0, binDownload_1.getBin)("winCodeSign");
 }
-class WindowsSignToolManager {
+class WindowsSignToolManager extends signManager_1.SignManager {
     constructor(packager) {
+        super(packager);
         this.packager = packager;
         this.computedPublisherName = new lazy_val_1.Lazy(async () => {
             var _a;
@@ -104,7 +106,7 @@ class WindowsSignToolManager {
         });
         this.platformSpecificBuildOptions = packager.platformSpecificBuildOptions;
     }
-    async signUsingSigntool(options) {
+    async signUsingTool(options) {
         var _a, _b;
         let hashes = (0, platformPackager_1.chooseNotNull)((_a = options.options.signtoolOptions) === null || _a === void 0 ? void 0 : _a.signingHashAlgorithms, options.options.signingHashAlgorithms);
         // msi does not support dual-signing
@@ -164,6 +166,9 @@ class WindowsSignToolManager {
         }
         return true;
     }
+    finishSigning() {
+        return Promise.resolve(true);
+    }
     async getCertInfo(file, password) {
         let result = null;
         const errorMessagePrefix = "Cannot extract publisher name from code signing certificate. As workaround, set win.publisherName. Error: ";
diff --git a/node_modules/app-builder-lib/out/util/yarn.js b/node_modules/app-builder-lib/out/util/yarn.js
index b9ee61d..a86d2f4 100644
--- a/node_modules/app-builder-lib/out/util/yarn.js
+++ b/node_modules/app-builder-lib/out/util/yarn.js
@@ -158,6 +158,7 @@ async function rebuild(config, appDir, options) {
     const logInfo = {
         electronVersion,
         arch,
+        platform,
         buildFromSource,
         appDir: builder_util_1.log.filePath(appDir) || "./",
     };
diff --git a/node_modules/app-builder-lib/out/winPackager.js b/node_modules/app-builder-lib/out/winPackager.js
index 8c622a7..ef0c7e5 100644
--- a/node_modules/app-builder-lib/out/winPackager.js
+++ b/node_modules/app-builder-lib/out/winPackager.js
@@ -23,6 +23,9 @@ const wine_1 = require("./wine");
 const windowsCodeSign_1 = require("./codeSign/windowsCodeSign");
 const windowsSignAzureManager_1 = require("./codeSign/windowsSignAzureManager");
 class WinPackager extends platformPackager_1.PlatformPackager {
+    get signManager() {
+        return this.platformSpecificBuildOptions.azureSignOptions != null ? this.azureSignManager.value : this.signtoolManager.value;
+    }
     get isForceCodeSigningVerification() {
         return this.platformSpecificBuildOptions.verifyUpdateCodeSignature !== false;
     }
@@ -232,7 +235,7 @@ class WinPackager extends platformPackager_1.PlatformPackager {
         };
         const filesToSign = await Promise.all([filesPromise(["resources", "app.asar.unpacked"]), filesPromise(["swiftshader"])]);
         await bluebird_lst_1.default.map(filesToSign.flat(1), file => this.sign(file), { concurrency: 4 });
-        return true;
+        return (await this.signManager).finishSigning();
     }
 }
 exports.WinPackager = WinPackager;

[mmaietta]

@MikeJerred have you run into this issue before/yet by chance?

[MikeJerred]

@MikeJerred have you run into this issue before/yet by chance?

Hi, yes I did run into this issue as well! I was able to resolve it by installing the trusted signing module myself in the github action before calling electron-builder, but it would be better to not need to do that.

[mmaietta]

Alright, opened a draft PR to see if we can get this working. It also adds a 10sec retry with 10sec backoff for specifically when the error message includes "being used by another process"

[OlaAlsaker]

@mmaietta, I can confirm that the patch you provided works perfectly 😄

[OlaAlsaker]

@mmaietta, I can confirm that the patch you provided works perfectly 😄

Ah, I was a bit quick there. The action does not fail, but it does not sign stuff either. In the log it seems like it queues everything, but after that, nothing happens.

 • queue file signing with Azure Trusted Signing (beta)  path=release\7.1.21\win-ia32-unpacked\dentalcomm.exe
  • queue file signing with Azure Trusted Signing (beta)  path=release\7.1.21\win-ia32-unpacked\Opus.DentalInfoIntegration.Client.exe
  • queue file signing with Azure Trusted Signing (beta)  path=release\7.1.21\win-ia32-unpacked\OpusComm.exe
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z size=5.6 MB parts=1
  • installing required module (TrustedSigning) with scope CurrentUser
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z duration=645ms
  • queue file signing with Azure Trusted Signing (beta)  path=release\7.1.21\win-ia32-unpacked\Dental Info.exe
  • verifying env vars for authenticating to Microsoft Entra ID
  • signing files with Azure Trusted Signing (beta)  path=["release\\7.1.21\\win-ia32-unpacked\\dentalcomm.exe","release\\7.1.21\\win-ia32-unpacked\\Opus.DentalInfoIntegration.Client.exe","release\\7.1.21\\win-ia32-unpacked\\OpusComm.exe","release\\7.1.21\\win-ia32-unpacked\\Dental Info.exe"]
  • building        target=nsis file=release\7.1.21\Install Dental Info 7.1.21.exe archs=ia32 oneClick=false perMachine=true
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z size=1.3 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z duration=199ms
  • queue file signing with Azure Trusted Signing (beta)  path=release\7.1.21\win-ia32-unpacked\resources\elevate.exe
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z size=731 kB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z duration=192ms
  • queue file signing with Azure Trusted Signing (beta)  path=release\7.1.21\__uninstaller-nsis-app-dental-info.exe
  • queue file signing with Azure Trusted Signing (beta)  path=release\7.1.21\Install Dental Info 7.1.21.exe
  • building block map  blockMapFile=release\7.1.21\Install Dental Info 7.1.21.exe.blockmap
Done in 240.86s.

[mmaietta]

So it does look like it is signing some of the files based off this line, meaning finishSigning is being called in one location.

  • signing files with Azure Trusted Signing (beta)  path=["release\\7.1.21\\win-ia32-unpacked\\dentalcomm.exe","release\\7.1.21\\win-ia32-unpacked\\Opus.DentalInfoIntegration.Client.exe","release\\7.1.21\\win-ia32-unpacked\\OpusComm.exe","release\\7.1.21\\win-ia32-unpacked\\Dental Info.exe"]

The main problem I see here is that the paths are supposed to be absolute paths I think, but I don't see why since this code literally joins the paths
[EDIT], nvm, I'm already pruning off the absolute path just for logging:

electron-builder/packages/app-builder-lib/src/codeSign/windowsSignAzureManager.ts

Line 96 in 2c75f81

log.info({ files: files.map(file => log.filePath(file)) }, "signing files with Azure Trusted Signing (beta)")

And the latter signing stages must be missing a finishSigning call for the uninstaller, elevate, and combined installer.

Let me whip up another patch for you

[mmaietta]

Holy moly, that code is littered all throughout the windows code logic. Looking at the logic, especially for signtool, I think it also requires an order of operations, meaning that each nested file is signed multiple times as it gets embedded in the final exe (main app, elevate, uninstaller => installer). Just to play it safe, I think the conditional concurrency approach might be best.

Can you try this patch?

diff --git a/node_modules/app-builder-lib/out/winPackager.js b/node_modules/app-builder-lib/out/winPackager.js
index 8c622a7..d91d053 100644
--- a/node_modules/app-builder-lib/out/winPackager.js
+++ b/node_modules/app-builder-lib/out/winPackager.js
@@ -23,6 +23,9 @@ const wine_1 = require("./wine");
 const windowsCodeSign_1 = require("./codeSign/windowsCodeSign");
 const windowsSignAzureManager_1 = require("./codeSign/windowsSignAzureManager");
 class WinPackager extends platformPackager_1.PlatformPackager {
+    get canSignConcurrently() {
+        return this.platformSpecificBuildOptions.azureSignOptions == null;
+    }
     get isForceCodeSigningVerification() {
         return this.platformSpecificBuildOptions.verifyUpdateCodeSignature !== false;
     }
@@ -231,7 +234,15 @@ class WinPackager extends platformPackager_1.PlatformPackager {
             return (0, builder_util_1.walk)(outDir, (file, stat) => stat.isDirectory() || this.shouldSignFile(file));
         };
         const filesToSign = await Promise.all([filesPromise(["resources", "app.asar.unpacked"]), filesPromise(["swiftshader"])]);
-        await bluebird_lst_1.default.map(filesToSign.flat(1), file => this.sign(file), { concurrency: 4 });
+        const filesList = filesToSign.flat(1);
+        if (this.canSignConcurrently) {
+            await bluebird_lst_1.default.map(filesList, file => this.sign(file), { concurrency: 4 });
+        }
+        else {
+            for await (const file of filesList) {
+                await this.sign(file);
+            }
+        }
         return true;
     }
 }

[mmaietta]

@OlaAlsaker friendly ping here when you have a chance to test the patch-package. 🙂 I have another PR fix for azure trusted signing and was hoping I could get both of these fixes in together in the next release

[OlaAlsaker]

Just tested, does not work, unfortunately.

Logs

• signing with Azure Trusted Signing (beta)  path=release\7.1.22\win-ia32-unpacked\Dental Info.exe
  • unable to install PackageProvider Nuget. Might be a false alarm though as some systems already have it installed  message=Exit code: 1. Command failed: pwsh.exe -NoProfile -NonInteractive -Command Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser
Install-PackageProvider: No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
                                                                                                                        Install-PackageProvider: No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Install-Module -Name TrustedSigning -RequiredVersion 0.4.1 -Force -Repository PSGallery -Scope CurrentUser
  • executed        file=pwsh.exe
  • verifying env vars for authenticating to Microsoft Entra ID
  • executing       file=powershell.exe args=-NoProfile -NonInteractive -Command Get-Command pwsh.exe
  • executing       file=powershell.exe args=-NoProfile -NonInteractive -Command Get-Command pwsh.exe
  • executing       file=powershell.exe args=-NoProfile -NonInteractive -Command Get-Command pwsh.exe
  • executing       file=powershell.exe args=-NoProfile -NonInteractive -Command Get-Command pwsh.exe
  • executed        file=powershell.exe stdout=
CommandType     Name                                               Version    Source                                   
-----------     ----                                               -------    ------                                   
Application     pwsh.exe                                           7.4.5.0    C:\Program Files\PowerShell\7\pwsh.exe   
                      
  • identified pwsh.exe for executing code signing
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\Dental Info.exe"
  • executed        file=powershell.exe stdout=
CommandType     Name                                               Version    Source                                   
-----------     ----                                               -------    ------                                   
Application     pwsh.exe                                           7.4.5.0    C:\Program Files\PowerShell\7\pwsh.exe   
                      
  • identified pwsh.exe for executing code signing
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\Opus.DentalInfoIntegration.Client.exe"
  • executed        file=powershell.exe stdout=
CommandType     Name                                               Version    Source                                   
-----------     ----                                               -------    ------                                   
Application     pwsh.exe                                           7.4.5.0    C:\Program Files\PowerShell\7\pwsh.exe   
                      
  • identified pwsh.exe for executing code signing
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\dentalcomm.exe"
  • executed        file=powershell.exe stdout=
CommandType     Name                                               Version    Source                                   
-----------     ----                                               -------    ------                                   
Application     pwsh.exe                                           7.4.5.0    C:\Program Files\PowerShell\7\pwsh.exe   
                      
  • identified pwsh.exe for executing code signing
  • executing       file=pwsh.exe args=-NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\OpusComm.exe"
  • Above command failed, retrying 3 more times
  • Above command failed, retrying 3 more times
  ⨯ Exit code: 1. Command failed: pwsh.exe -NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\dentalcomm.exe"
Install-Package: Package 'Microsoft.Windows.SDK.BuildTools' failed to be installed because: Value cannot be null.
Install-Package: Package 'Microsoft.Trusted.Signing.Client' failed to be installed because: The process cannot access the file
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\Azure.CodeSigning.Dlib.dll' because it is being used by another process.
MethodInvocationException: Exception calling "WriteAllLines" with "2" argument(s): "The requested operation cannot be performed on a file with a
user-mapped section open. :
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\metadata.json'"
Exception: SignTool failed with exit code 3
Checking for required dependencies.
	Build tools package installed: False
	Trusted signing package installed: False
	Installing required dependencies.
		Found existing package source: https://www.nuget.org/api/v2/
		Installing package: Microsoft.Windows.SDK.BuildTools 10.0.22621.3233
WARNING: Source Location 'https://www.nuget.org/api/v2/package/Microsoft.Windows.SDK.BuildTools/10.0.22621.3233' is not valid.
		Installing package: Microsoft.Trusted.Signing.Client 1.0.53
Creating metadata file: C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\metadata.json
Getting the list of files to be signed.
	Getting files from list.
	Listed files: 1
		D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\dentalcomm.exe
	No files folder was provided.
	Filtered files: 0
	No catalog file was provided.
	Catalog files: 0
Formatting the list of files to be signed.
Batching the list of files to be signed.
Signing file batch 1 of 1.
	Executing signtool.exe: C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Windows.SDK.BuildTools\Microsoft.Windows.SDK.BuildTools.10.0.22621.3233\bin\10.0.22621.0\x64\signtool.exe sign /v /debug /fd SHA256 /dlib "C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\metadata.json" "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\dentalcomm.exe"
Install-Package: Package 'Microsoft.Windows.SDK.BuildTools' failed to be installed because: Value cannot be null.
Install-Package: Package 'Microsoft.Trusted.Signing.Client' failed to be installed because: The process cannot access the file
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\Azure.CodeSigning.Dlib.dll' because it is being used by another process.
MethodInvocationException: Exception calling "WriteAllLines" with "2" argument(s): "The requested operation cannot be performed on a file with a
user-mapped section open. :
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\metadata.json'"
Exception: SignTool failed with exit code 3
  failedTask=build stackTrace=Error: Exit code: 1. Command failed: pwsh.exe -NoProfile -NonInteractive -Command Invoke-TrustedSigning -FileDigest SHA256 -Endpoint https://neu.codesigning.azure.net/ -CertificateProfileName cp-dentalinfo -CodeSigningAccountName tsa-dentalinfo-app -Files "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\dentalcomm.exe"
Install-Package: Package 'Microsoft.Windows.SDK.BuildTools' failed to be installed because: Value cannot be null.
Install-Package: Package 'Microsoft.Trusted.Signing.Client' failed to be installed because: The process cannot access the file
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\Azure.CodeSigning.Dlib.dll' because it is being used by another process.
MethodInvocationException: Exception calling "WriteAllLines" with "2" argument(s): "The requested operation cannot be performed on a file with a
user-mapped section open. :
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\metadata.json'"
Exception: SignTool failed with exit code 3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
	Build tools package installed: False
	Trusted signing package installed: False
	Installing required dependencies.
		Found existing package source: https://www.nuget.org/api/v2/
		Installing package: Microsoft.Windows.SDK.BuildTools 10.0.22621.3233
WARNING: Source Location 'https://www.nuget.org/api/v2/package/Microsoft.Windows.SDK.BuildTools/10.0.22621.3233' is not valid.
		Installing package: Microsoft.Trusted.Signing.Client 1.0.53
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
	Getting files from list.
	Listed files: 1
		D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\dentalcomm.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
	Filtered files: 0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
	Catalog files: 0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
	Executing signtool.exe: C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Windows.SDK.BuildTools\Microsoft.Windows.SDK.BuildTools.10.0.22621.3233\bin\10.0.22621.0\x64\signtool.exe sign /v /debug /fd SHA256 /dlib "C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0.53\bin\x64\metadata.json" "D:\a\dental-info\dental-info\clients\app\release\7.1.22\win-ia32-unpacked\dentalcomm.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
Install-Package: Package 'Microsoft.Trusted.Signing.Client' failed to be installed because: The process cannot access the file
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\Azure.CodeSigning.Dlib.dll' because it is being used by another process.
MethodInvocationException: Exception calling "WriteAllLines" with "2" argument(s): "The requested operation cannot be performed on a file with a
user-mapped section open. :
'C:\Users\runneradmin\AppData\Local\TrustedSigning\Microsoft.Trusted.Signing.Client\Microsoft.Trusted.Signing.Client.1.0
.53\bin\x64\metadata.json'"
Exception: SignTool failed with exit code 3
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
    at ChildProcess.exithandler (node:child_process:430:5)
    at ChildProcess.emit (node:events:519:28)
    at maybeClose (node:internal/child_process:1105:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:305:5)
From previous event:
    at processImmediate (node:internal/timers:483:21)
From previous event:
    at WinPackager.signApp (D:\a\dental-info\dental-info\clients\app\node_modules\app-builder-lib\src\winPackager.ts:279:8)
    at WinPackager.doSignAfterPack (D:\a\dental-info\dental-info\clients\app\node_modules\app-builder-lib\src\platformPackager.ts:414:32)
    at WinPackager.doPack (D:\a\dental-info\dental-info\clients\app\node_modules\app-builder-lib\src\platformPackager.ts:340:7)
    at WinPackager.pack (D:\a\dental-info\dental-info\clients\app\node_modules\app-builder-lib\src\platformPackager.ts:141:5)
    at Packager.doBuild (D:\a\dental-info\dental-info\clients\app\node_modules\app-builder-lib\src\packager.ts:459:9)
    at executeFinally (D:\a\dental-info\dental-info\clients\app\node_modules\builder-util\src\promise.ts:12:14)
    at Packager.build (D:\a\dental-info\dental-info\clients\app\node_modules\app-builder-lib\src\packager.ts:393:31)
    at executeFinally (D:\a\dental-info\dental-info\clients\app\node_modules\builder-util\src\promise.ts:12:14)
  • Above command failed, retrying 3 more times
  • Above command failed, retrying 3 more times
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
Error: Process completed with exit code 1.

This is the patch I use to make it work:

diff --git a/node_modules/app-builder-lib/out/winPackager.js b/node_modules/app-builder-lib/out/winPackager.js
index 8c622a7..848365b 100644
--- a/node_modules/app-builder-lib/out/winPackager.js
+++ b/node_modules/app-builder-lib/out/winPackager.js
@@ -214,24 +214,34 @@ class WinPackager extends platformPackager_1.PlatformPackager {
         if (this.platformSpecificBuildOptions.signAndEditExecutable === false) {
             return false;
         }
-        await bluebird_lst_1.default.map((0, promises_1.readdir)(packContext.appOutDir), (file) => {
+
+        const files = await (0, promises_1.readdir)(packContext.appOutDir);
+        for (const file of files) {
             if (file === exeFileName) {
-                return this.signAndEditResources(path.join(packContext.appOutDir, exeFileName), packContext.arch, packContext.outDir, path.basename(exeFileName, ".exe"), this.platformSpecificBuildOptions.requestedExecutionLevel);
+                console.log(`DEBUG Signing exe file 1: ${exeFileName}`);
+                await this.signAndEditResources(path.join(packContext.appOutDir, exeFileName), packContext.arch, packContext.outDir, path.basename(exeFileName, ".exe"), this.platformSpecificBuildOptions.requestedExecutionLevel);
             }
             else if (this.shouldSignFile(file)) {
-                return this.sign(path.join(packContext.appOutDir, file));
+                console.log(`DEBUG Signing file 2: ${file}`);
+                await this.sign(path.join(packContext.appOutDir, file));
             }
-            return null;
-        });
+        }
+
         if (!isAsar) {
             return true;
         }
+
         const filesPromise = (filepath) => {
             const outDir = path.join(packContext.appOutDir, ...filepath);
             return (0, builder_util_1.walk)(outDir, (file, stat) => stat.isDirectory() || this.shouldSignFile(file));
         };
+
         const filesToSign = await Promise.all([filesPromise(["resources", "app.asar.unpacked"]), filesPromise(["swiftshader"])]);
-        await bluebird_lst_1.default.map(filesToSign.flat(1), file => this.sign(file), { concurrency: 4 });
+        for (const file of filesToSign.flat(1)) {
+            console.log(`DEBUG Signing file 3: ${file}`);
+            await this.sign(file);
+        }
+
         return true;
     }
 }

[mmaietta]

Out of curiosity, are you billed per TrustedSigning request or is it per each individual file? I'm trying to discern whether I need to explore the finishSigning approach for a batch signing request to reduce billing costs.
https://azure.microsoft.com/en-us/pricing/details/trusted-signing/