Code signing on Windows 10 builds a non-signed Windows 7 installer/executable

[tomzx]

• Version: 6.7.7
• WinCodeSign: 1.4.2
• Target: Windows 7/10 ia32/x64
• Type: Squirrel installer

Hi,

I've been successful in building a code signed Windows 10 application using electron-builder. However, if I run the same installer under Windows 7, I see the following dialog window:

If I look at the properties of the executable, the Digital Signatures tab is missing, indicating that the executable is not signed.

However, if I do the same process under Windows 7, I have a different set of issues. I'm unsure if it is my computer of the codesign executable that is part of the WinCodeSign 1.4.2 package, but it will often crash with Unhandled rejection Error: Exit code: 3221225477 (see http://stackoverflow.com/a/10306977/108301, basically a segfault). If I run it multiple times (until it works), then I get a signed executable/installer. The security warning dialog box now displays the proper publisher name and the Digital Signatures is present in the properties of the executable.

Does this imply that it is not possible to to have an app signed for both Windows 7 and Windows 10?

Reference logs (When building on Windows 7):

E:\Tom\Documents\GIT\REMOVED>gulp installer-win32
(node:5388) fs: re-evaluating native module sources is not supported. If you are using the graceful-fs module, please update it to a more recent version.
[23:23:21] Using gulpfile E:\Tom\Documents\GIT\REMOVED\gulpfile.js
[23:23:21] Starting 'installer-win32'...
[23:23:21] Finished 'installer-win32' after 32 ms
Skip app dependencies rebuild because dev and app dependencies are not separated
Packaging for platform win32 ia32 using electron 1.1.3 to dist\win-ia32-unpacked

  electron-builder Found existing nsis C:\Users\Tom\.cache\nsis\nsis-3.0.1 +0ms
  electron-builder Found existing winCodeSign C:\Users\Tom\.cache\winCodeSign\winCodeSign-1.4.2 +3s
  electron-builder Executing C:\Users\Tom\.cache\winCodeSign\winCodeSign-1.4.2\rcedit.exe E:\Tom\Documents\GIT\REMOVED\dist\win-ia32-unpacked\REMOVED.exe --set-version-string CompanyName REMOVED --set-version-string FileDescription REMOVED --set-version-string ProductName REMOVED --set-version-string InternalName REMOVED --set-version-string LegalCopyright Copyright © 2016 REMOVED --set-version-string OriginalFilename  --set-file-version 1.1.0 --set-product-version 1.1.0 --set-icon E:\Tom\Documents\GIT\REMOVED\assets\package\win\icon.ico +2ms
Signing REMOVED.exe (certificate file "build\certs\REMOVED.p12")
  electron-builder Executing C:\Users\Tom\.cache\winCodeSign\winCodeSign-1.4.2\windows-6\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f build\certs\REMOVED.p12 /d REMOVED /du https://REMOVED/ /p REMOVED E:\Tom\Documents\GIT\REMOVED\dist\win-ia32-unpacked\REMOVED.exe +170ms
  electron-builder Executing C:\Users\Tom\.cache\winCodeSign\winCodeSign-1.4.2\windows-6\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f build\certs\REMOVED.p12 /fd sha256 /td sha256 /d REMOVED /du https://REMOVED/ /as /p REMOVED E:\Tom\Documents\GIT\REMOVED\dist\win-ia32-unpacked\REMOVED.exe +538ms
Warning: For windows consider only distributing 64-bit, see https://github.com/electron-userland/electron-builder/issues/359#issuecomment-214851130
Building Squirrel.Windows installer

  electron-builder Found existing Squirrel.Windows C:\Users\Tom\.cache\Squirrel.Windows\Squirrel.Windows-1.4.4 +1s
Signing t-150c-0-Update.exe (certificate file "build\certs\REMOVED.p12")
  electron-builder Executing C:\Users\Tom\.cache\winCodeSign\winCodeSign-1.4.2\windows-6\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f build\certs\REMOVED.p12 /d REMOVED /du https://REMOVED/ /p REMOVED C:\Users\Tom\AppData\Local\Temp\electron-builder-CGxeG7\t-150c-0-Update.exe +31ms
  electron-builder Executing C:\Users\Tom\.cache\winCodeSign\winCodeSign-1.4.2\windows-6\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f build\certs\REMOVED.p12 /fd sha256 /td sha256 /d REMOVED /du https://REMOVED/ /as /p REMOVED C:\Users\Tom\AppData\Local\Temp\electron-builder-CGxeG7\t-150c-0-Update.exe +223ms
Unhandled rejection Error: Exit code: 3221225477. Command failed: C:\Users\Tom\.cache\winCodeSign\winCodeSign-1.4.2\windows-6\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f build\certs\REMOVED.p12 /fd sha256 /td sha256 /d REMOVED /du https://REMOVED/ /as /p REMOVED C:\Users\Tom\AppData\Local\Temp\electron-builder-CGxeG7\t-150c-0-Update.exe

    at E:\Tom\Documents\GIT\REMOVED\node_modules\electron-builder\src\util\util.ts:96:16
    at ChildProcess.exithandler (child_process.js:213:5)
    at emitTwo (events.js:106:13)
    at ChildProcess.emit (events.js:191:7)
    at maybeClose (internal/child_process.js:877:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:226:5)
From previous event:
    at Object.exec (E:\Tom\Documents\GIT\REMOVED\node_modules\electron-builder\src\util\util.ts:77:9)
    at E:\Tom\Documents\GIT\REMOVED\node_modules\electron-builder\src\windowsCodeSign.ts:114:20
From previous event:
    at tsAwaiter (E:\Tom\Documents\GIT\REMOVED\node_modules\electron-builder\src\util\awaiter.ts:10:47)
    at WinPackager.sign (E:\Tom\Documents\GIT\REMOVED\node_modules\electron-builder\src\winPackager.ts:123:26)
    at bluebird_1.Promise.all.fs_extra_p_1.copy.then (E:\Tom\Documents\GIT\REMOVED\node_modules\electron-builder\src\targets\squirrelP
ack.ts:58:28)
    at runCallback (timers.js:574:20)
    at tryOnImmediate (timers.js:554:5)
    at processImmediate [as _immediateCallback] (timers.js:533:5)

[develar]

We do dual code signing to support Windows 7. It the reason why you cannot sign on Windows 7 — sha2. I will check, I am sure that it worked before.

[develar]

Works for me — app signed.

[develar]

You can try my app https://bintray.com/develar/generic/onshape-desktop-shell/0.5.3#files — is it signed on your machine?

[develar]

electron 1.1.3

Please try to update to 1.4

[tomzx]

I tried your OnShape installer, results below.

I've also tried upgrading to electron 1.4.0, it made no difference. I've also bumped electron-builder to 7.4.0.

I'll add that I'm currently using Windows 7 SP1 (if that makes any difference).

[develar]

I use AppVeyor CI to build Windows version — Windows Server 2012 R2 (x64). Ok — I will build on Windows 10 and check Windows 7 to confirm (or not to confirm) this issue.

[dharders]

Working for me.

"electron-builder": "7.6.0",
"electron-prebuilt": "1.4.1"

"target": "nsis"

Built on Win10 (signed sha1 & sha256), copied to USB then opened Win7 SP1, still signed (sha1 & sha256)

[tomzx]

@dharders, I see you mention NSIS. In my case, I am building a Squirrel installer.

[dharders]

Ahh I see, missed that! I moved to NSIS as I found too many issues with Squirrel.Windows and soon it will be deprecated when NSIS auto-update lands. If it's possible with your project, I'd suggest to make the move too. But I understand it's a bit of work if you already have an app 'in the wild'.

[tomzx]

@dharders Interesting, I thought that NSIS had been deprecated in favor of Squirrel a few versions back (about 3-6 months ago). Do you happen to know if that decision was reversed?

[dharders]

NSIS was only added in the last few months (still beta I guess until auto-update lands #529 ) with the intent to replace Squirrel.Windows.

@tomzx Squirrel.Windows maybe not 'deprecated' but no longer being default, where Windows.NSIS will be default soon (I remember reading it in some issue comments, I'll try find the link). @develar to confirm ?

Squirrel for Mac is still good though. It's just Squirrel.Windows that is troublesome/changing.

[develar]

I see you mention NSIS. In my case, I am building a Squirrel installer.

Should be no difference (e.g. sample app is still using Squirrel.Windows).

I thought that NSIS had been deprecated in favor of Squirrel a few versions back (about 3-6 months ago)

Yes, but as Squirrel.Windows is not so robust/maintainable as NSIS, it will be deprecated and not a default windows target anymore.

[virror]

Are there any good guide out there for code signing? I need to sign my NSIS app for both win 7 and 10 but i have no idea how to do that.

[develar]

@virror should be very easy, please be aware of https://github.com/electron-userland/electron-builder/pull/774#issuecomment-249132045

[develar]

Closed as obsolete.