Custom sign is called but all files are signed anyway

[dowmeister]

Hello,
i've recently moved from electron-builder 24.x to 25.x and i was using a custom signing script to avoid signing all files but only what i need to sign (application exe and installer exe)

With electron-builder 25 the custom sign seems ignored.

"publisherName": "Trucky",
      "certificateSubjectName": "Trucky",
      "signingHashAlgorithms": [
        "sha256"
      ],
      "sign": "./customSign.js",

customSign.js

exports.default = async function (configuration) {

  if (!process.env.CI) {
    console.log("Skipping signing as CI environment is not detected.");
    //process.exit(0); // Exit without performing signing
    return;
  }

  if (configuration.path && isCI) {

    const baseName = path.basename(configuration.path);
    const version = packageJson.version;

    if (baseName == 'Trucky.exe' || baseName == `Trucky ${version}.exe`) {
      console.log(`Signing ${configuration.path}' with SMCTL`);

      require('child_process').execSync(
        `smctl sign --keypair-alias=key --input "${String(
          configuration.path
        )}"`
      );
    }
  }
};

Before with 24.x

....
Signing D:\a\trucky-electron\trucky-electron\release\build\win-unpacked\Trucky.exe' with SMCTL
....
Signing D:\a\trucky-electron\trucky-electron\release\build\Trucky 3.1.18.exe' with SMCTL

Now with 25.x is actually signing twice: once internally and after using customSign.js

• signing         file=release\build\win-unpacked\resources\assets\tools\SII_Decrypt.exe subject=CN=Trucky <redacted>
...
  • signing         file=release\build\win-unpacked\Trucky.exe subject=CN=Trucky <redacted>
Signing D:\a\trucky-electron\trucky-electron\release\build\win-unpacked\Trucky.exe' with SMCTL
  • signing         file=release\build\win-unpacked\resources\app.asar.unpacked\node_modules\clipboardy\fallbacks\windows\clipboard_i686.exe subject=CN=Trucky <redacted>
  • signing         file=release\build\win-unpacked\resources\app.asar.unpacked\node_modules\clipboardy\fallbacks\windows\clipboard_x86_64.exe subject=CN=Trucky<redacted>
  ...
  • signing         file=release\build\win-unpacked\resources\elevate.exe subject=CN=Trucky <redacted>
....
  • signing NSIS uninstaller  file=release\build\__uninstaller-nsis-trucky-electron.exe subject=CN=Trucky <redacted>
  • signing         file=release\build\Trucky 3.2.0.exe subject=CN=Trucky <redacted>
Signing D:\a\trucky-electron\trucky-electron\release\build\Trucky 3.2.0.exe' with SMCTL

Maybe now this is different or can be done in a smarter and more elegant way :D

Thank you

[mmaietta]

Can you please try 26.0.8? Significant changes were made to both the windows signing flow (azure trusted signing required a few refactors) and also the signing hooks implementation

[dowmeister]

I would but unfortunately I'm tied to an electron-builder port, ow-electron-builder that, as far, is at 25.
will ask the maintainer if they can upgrade to 26.
thanks for now

[mmaietta]

Oomph, yeah a port basically makes it impossible to provide support without me knowing what changes were made in the fork

[dowmeister]

yes, i understand totally. but i don't think they touched signing but rather something internally to include a DLL or something to the package. I'm in contact with them, will follow up with some details, if i can.

[mmaietta]

include a DLL or something to the package

So I don't know the context, but that sounds like something that could be done in an afterPack hook. If it's not possible, would love to know why to see if I can it'd be something worthwhile supporting directly through electron-builder

[dowmeister]

don't think is only that, I've explained a bit too easily :)
will ask them to hop in this issue.
Thank you for your time