Signing MSI attempts dual signing and fails

[AdamPD]

Since the change in #177 to use @electron/windows-sign, the package now tries to dual sign the MSI with both SHA-1 and SHA-256 (which fails):

Error: Signtool exited with code 1. Stderr: SignTool Error: Multiple signature support is not implemented for this filetype.

@electron/windows-sign needs to be able to specify that only a single algorithm is required, and then this package should specify which one to use.

[PeteAUK]

I've just updated to the latest version of everything and getting exactly the same error. Digging into it and trying a plethora of
approaches and I think this is an issue more relating to windows-sign and MSI's than anything else. I've even tried multiple versions of signtool.exe to see if that made any difference (which it didn't).

On my Windows 10 machine the only way I've got this working is to set appendSignature to false on line 106 of cjs/signWithSignTool.js - it's a hack and not something I'd necessarily recommend. It also explains why the old way of doing it didn't break, because that flag adds the /as argument onto the signtool.exe command which is where the error comes from.

Don't quite know if this varies depending on the operating system being used as it's a weird one to have slipped through.

[zkrige]

its because electron/windows-sign appends signatures -

https://github.com/electron/windows-sign/blob/7527ffff6158ad7b4062e112c448a862f185034d/src/sign-with-signtool.ts#L123

I'm also looking for a way to disable this

there is a PR for it

electron/windows-sign#19

[AndreyApalkov]

want to bump this issue since currently MSI signing is not working.

[alu-]

Running in to this as well. Are there any workarounds?

[AndreyApalkov]

@alu- I got around this by using hookFunction:

{
        windowsSign: {
          hookFunction: async (fileToSign: string) => {
            const {
              code,
              stderr,
              stdout,
            }: {code: number | null; stderr: string; stdout: string} =
              await new Promise(resolve => {
                const command = process.env.SIGNTOOL_PATH ?? '';
                const hash = 'sha256';
                const args = [
                  'sign',
                  '/tr',
                  process.env.TIMESTAMP_SERVER ?? '',
                  '/td',
                  hash,
                  '/f',
                  process.env.CODE_SIGNING_CERTIFICATE_PATH ?? '',
                  '/p',
                  process.env.CODE_SIGNING_PASSWORD ?? '',
                  '/fd',
                  hash,
                  fileToSign,
                ];
                const fork = spawn(command, args, {
                  env: process.env,
                  cwd: process.cwd(),
                });
                let stdout = '';
                let stderr = '';
                fork.stdout.on('data', data => {
                  stdout += data;
                });
                fork.stderr.on('data', data => {
                  stderr += data;
                });
                fork.on('close', code => {
                  resolve({stdout, stderr, code});
                });
              });

            if (code !== 0) {
              console.error(
                `Signtool exited with code ${code}. Stderr: ${stderr}. Stdout: ${stdout}`,
              );
              // eslint-disable-next-line no-process-exit
              process.exit(1);
            }
          },
        },
// ... other properties
      },

[alu-]

Yay! Using the above mentioned hookFunction did indeed work for me after some customization. Thank you very much Andrey.

For any that comes after I forgot to remove the old references to certificateFile which caused the same error as it tried to sign the file twice, but after I removed that it works.

[zkrige]

this PR has been accepted. These options need to be brought forward into this package

[Kenkron]

@AndreyApalkov where did you put the hook function? My guess was packagerConfig->windowsSign->hookFunction:, but that only works for me on the executable, not the wix installer.

[AndreyApalkov]

@AndreyApalkov where did you put the hook function? My guess was packagerConfig->windowsSign->hookFunction:, but that only works for me on the executable, not the wix installer.

you should put it under the maker config:

const config: ForgeConfig = {
  makers: [
    {
      name: '@electron-forge/maker-wix',
      config: {
        windowsSign: {
          hookFunction: async (fileToSign: string) => {

[Kenkron]

@AndreyApalkov Many thanks amigo. Worked like a charm.

[AndreyApalkov]

You are welcome

[zkrige]

this PR has been accepted. These options need to be brought forward into this package

old:

        const signParams = '/v /td sha256 /d ' + bConf.appVersionedName() + ' /f ' + certPath + ' /p $password ' + outFile
.
.
.

           signWithParams: signParams,

new:

        const signParams = '/v /d ' + bConf.appVersionedName() + ' /f ' + certPath + ' /p $pasword ' + outFile
.
.
.
            windowsSign: {
                signWithParams: signParams,
                hashes: ["sha256"],
                timestampServer: "http://rfc3161timestamp.globalsign.com/advanced",
            },

this seems to work fine