search

electron / windows-sign

Codesign Electron apps for Windows
BSD 2-Clause "Simplified" License
31 stars 11 forks source link

Incorrectly parsed arguments from `signWithParams` #45

Open ShGKme opened 1 week ago

ShGKme commented 1 week ago

Problem

When additional arguments are passed via signWithParams, they are parsed into arguments using RegExp.

https://github.com/electron/windows-sign/blob/2605684e8ee705cf4f0ae0e1b93c3488b205e498/src/sign-with-signtool.ts#L67-L69

For example, signWithParams: '/n "My Awesome Company"' is parsed into['/n', '"My Awesome Company"']. Double quotes are kept in place as the arg value. Then it's passed intosigntoolvia Node.jsfork`, it's passed as an argument.

As a result, signtool receives value with double quotes "My Awesome Company" instead of the actual value My Awesome Company.

Same problem with device tokens and /csp, /kc params.

Proposals

1. Don't parse signWithParams

Currently params from the result of parsing are never used individually. 

extraArgs.push(options.signWithParams)

2. Parse params with values

extraArgs.push(...[...options.signWithParams.matchAll(/(?:([^\s"]+)|"([^"]*)")+/g)].map((matched) => matched[1] || matched[2]));

Then it results into ['/n', 'My Awesome Company'] instead of ['/n', '"My Awesome Company"']

3. use windowsVerbatimArguments: true and quote other params instead

Solve the problem the other way around — quote args provided from @electron/windows-sign.

I'd prefer option 2, as it allows fixing another issue.

I'm ready to prove a PR, if that's ok.

nikwen commented 3 days ago

I saw this, too. I think a PR would make sense.