When using hookModulePath option in windowsSign, Only Setup.exe and Setup.msi are signed, all other internal binaries are not signed.

[soundar-m]

I'm using the hookModulePath option to sign the installer with custom logic. Even though the logs show that the installer and all the internal binaries were signed successfully, Only Setup.exe and Setup.msi are signed. All the other internal binaries are not signed when the app is installed.

Configuration used

{
   windowsSign : {
        hookModulePath : 'signHook.js'
    }
}

signHook.js

const exec = require('child_process').exec;

module.exports = async function (filePath) {
    console.log(`going to sign ${filePath}` );
    exec("cmd.exe /c <path to custom signing bat file> " + filePath );
}

Previously I was using signWithParams option and all the internal binaries were signed properly. Sharing the debug logs when using windowsSign for reference.

debug logs when using windowsSign

electron-windows-installer:main @electron/windows-sign sea
{
  bin: '......\\nvm\\v20.12.0\\node.exe',
  script: '...\\node_modules\\electron-winstaller\\vendor\\receiver.mjs'
}
going to sign ......\AppData\Local\SquirrelTemp\tempf\lib\net45\AppTitle.exe
Successfully signed ......\AppData\Local\SquirrelTemp\tempf\lib\net45\AppTitle.exe undefined

[soundar-m]

The internal binaries were not signed because the custom bat script i was invoking did not have permission to modify files under AppData directory. Due to this code signature was not added to all the temp files created in SquirrelTemp directory. Once the script was executed with relevant permission, code signature was applied to all the internal binaries.