search

RocketChat / Rocket.Chat.Electron

Official OSX, Windows, and Linux Desktop Clients for Rocket.Chat
https://rocket.chat/
MIT License
1.58k stars 696 forks source link

Github Action build not signing AppX package #2149

Open KagurazakaNyaa opened 2 years ago

KagurazakaNyaa commented 2 years ago

Describe the bug In the automatic build of this project, the AppX package was not properly signed, which caused the .appx format installation file downloaded in Release to fail to install due to certificate issues.

To Reproduce Steps to reproduce the behavior:

  1. Download .appx file from release
  2. Double-click it
  3. Windows warns that it is an untrusted application and therefore cannot be installed

Expected behavior It should be able to be installed normally, just like the version in exe or msi format.

Screenshots image

Additional context After checking the Github Action build process for this project, I located the problem here https://github.com/RocketChat/Rocket.Chat.Electron/blob/1b6ba4974b826c88b4948900e77c488c2deb9087/workspaces/desktop-release-action/src/windows.ts#L11 It does not properly configure the environment variables required for digital signatures, like https://github.com/RocketChat/Rocket.Chat.Electron/blob/1b6ba4974b826c88b4948900e77c488c2deb9087/workspaces/desktop-release-action/src/windows.ts#L6-L9 You can check the Github Action log to check this issue https://github.com/RocketChat/Rocket.Chat.Electron/runs/3539521579?check_suite_focus=true#step:10:53

jeanfbrito commented 2 years ago

Please test if the problem persists with our latest release. I will be closing the issue but if there is any problem yet, we will open it again.

KagurazakaNyaa commented 2 years ago

In the current latest release (3.8.7), this problem still exists. https://github.com/RocketChat/Rocket.Chat.Electron/releases/download/3.8.7/rocketchat-3.8.7-win-x64.appx https://github.com/RocketChat/Rocket.Chat.Electron/runs/6713607085?check_suite_focus=true#step:10:61

cmouse commented 4 months ago

It still exists with 3.9.14.

This app package’s publisher certificate could not be verified. Contact your system administrator or the app developer to obtain a new app package with verified certificates. The root certificate and all immediate certificates of the signature in the app package must be verified (0x800B010A)

jeanfbrito commented 4 months ago

It still exists with 3.9.14.

This app package’s publisher certificate could not be verified. Contact your system administrator or the app developer to obtain a new app package with verified certificates. The root certificate and all immediate certificates of the signature in the app package must be verified (0x800B010A)

@cmouse we are using the .appx installers to publish on Microsoft Store. They don't complain about that, what could be different that you need that Microsoft store didn't asked?

cmouse commented 4 months ago

I have no idea, I was using the asset from your release page. I have pretty vanilla windows 11 with no special things, and I get that message when I tried to install the appx package.

jeanfbrito commented 4 months ago

I have no idea, I was using the asset from your release page. I have pretty vanilla windows 11 with no special things, and I get that message when I tried to install the appx package.

But why you dont use MSI or EXE installer? APPX is just for distribution as far as I know.

cmouse commented 4 months ago

If it is not intended to be used should this be mentioned somewhere?

jeanfbrito commented 4 months ago

If it is not intended to be used should this be mentioned somewhere?

Sorry, where it is mentioned? We generate it to send to Microsoft Store.

cmouse commented 4 months ago

You publish it in your release page. Nothing says one should not use it, so I wonder if you could add a note about this that it is not supposed to be used.

I feel like you feel somehow offended, it's not my intention to do so. If you feel this is not useful discussion, feel free to close this issue.

jeanfbrito commented 4 months ago

You publish it in your release page. Nothing says one should not use it, so I wonder if you could add a note about this that it is not supposed to be used.

I feel like you feel somehow offended, it's not my intention to do so. If you feel this is not useful discussion, feel free to close this issue.

No no, not offended at all. I want to understand what we can do to improve this. We publish all the packages that we use, but people usually use what installer they need. I can take a look if we can sign the appx packages, but they are mainly generated to be published by Microsoft Store.