How to disable code signing for individual files?

[stoefln]

As part of our electron app, we ship a couple of external executables (exe files) that are usually distributed by google (android command line tools). I am not sure, but I think those files are already signed. So during our electron packaging process, we are also signing files, and it seems all executables are signed automatically (by electron-builder), which means that also those android-command-line tools executables are signed again. AFAIS this should be avoided, right? Is there any way to exclude files from signing?

I found this, but it's not answered: https://github.com/electron-userland/electron-builder/issues/3790

Here are the relevant log lines:

Run ./node_modules/.bin/electron-builder --publish never --config electron-builder.json --win --x64
  • electron-builder  version=24.13.0 os=10.0.20348
  • loaded configuration  file=D:\a\myapp-studio\myapp-studio\electron-builder.json
  • skipped dependencies rebuild  reason=npmRebuild is set to false
  • packaging       platform=win32 arch=x64 electron=12.2.3 appOutDir=dist\win-unpacked
  • downloading     url=https://github.com/electron/electron/releases/download/v12.2.3/electron-v12.2.3-win32-x64.zip size=83 MB parts=4
  • downloaded      url=https://github.com/electron/electron/releases/download/v12.2.3/electron-v12.2.3-win32-x64.zip duration=1.802s
  • asar usage is disabled — this is strongly not recommended  solution=enable asar and use asarUnpack to unpack files that must be externally available
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\etc1tool.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\fastboot.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\adb.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\dmtracedump.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\hprof-conv.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\make_f2fs.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\sqlite3.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\make_f2fs_casefold.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\win-unpacked\resources\app\resources\platform-tools-win\mke2fs.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • file source doesn't exist  from=D:\Windows\system32\CONCRT140.dll
  • file source doesn't exist  from=D:\Windows\system32\MSVCP140.dll
  • file source doesn't exist  from=D:\Windows\system32\VCRUNTIME140.dll
  • asar usage is disabled — this is strongly not recommended  solution=enable asar and use asarUnpack to unpack files that must be externally available
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z size=5.6 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z duration=909ms
  • signing         file=dist\win-unpacked\myapp.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • building        target=nsis file=dist\myapp_for_win_1.4.105.exe archs=x64 oneClick=false perMachine=false
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z size=1.3 MB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-3.0.4.1/nsis-3.0.4.1.7z duration=902ms
  • signing         file=dist\win-unpacked\resources\elevate.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • downloading     url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z size=731 kB parts=1
  • downloaded      url=https://github.com/electron-userland/electron-builder-binaries/releases/download/nsis-resources-3.4.1/nsis-resources-3.4.1.7z duration=908ms
  •   Signing NSIS uninstaller  file=dist\__uninstaller-nsis-myapp.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • signing         file=dist\myapp_for_win_1.4.105.exe subject=CN=Stephan , O=Stephan , L=W, C=AT thumbprint=4128C616E64B525A6B53FA87A67EEBD74FFFDD17 store=My user=current user
  • building block map  blockMapFile=dist\myapp_for_win_1.4.105.exe.blockmap

[mmaietta]

Can you try this for win.sign config sign.js

const path = require('path')
const { doSign } = require('app-builder-lib/out/codeSign/windowsCodeSign')

/**
 * @type {import("electron-builder").CustomWindowsSign} sign
 */
module.exports = async function sign(config, packager) {
  // Do not sign if no certificate is provided.
  if (!config.cscInfo) {
    return
  }

  const targetPath = config.path
  // Do not sign yourFileNamesArray
  if (yourFileNamesArray.some(filename => targetPath.endsWith(filename)))) {
    return
  }

  await doSign(config, packager)
}

[stoefln]

thanks @mmaietta! Can you tell me which of the files need to be signed? I guess only the myapp.exe, and the installer right?

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.