electron-builder: Code-Signing Windows on Mac, `osslsigncode` produces 'Unrecognized file type' error when signing .node modules
- Electron-Builder Version: 24.4.0
- Node Version: 18.16.1
- Electron Version: 25.2.0
- Electron Type (current, beta, nightly): current
- Target: x64
In our electron app we’re using websocket package that includes native prebuilt .node modules. And we’re signing both Mac and Windows x64 app versions on Mac.
After upgrading to electron-builder v24 we can no longer sign Windows app on Mac.
• signing file=dist_electron/win-unpacked/redacted.exe certificateFile=/Users/runner/work/_temp/redacted-CodeSign-Exp-2023-10-06.pfx
• signing file=dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/win32-x64/node.napi.node certificateFile=/Users/runner/work/_temp/redacted-CodeSign-Exp-2023-10-06.pfx
• signing file=dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/win32-ia32/node.napi.node certificateFile=/Users/runner/work/_temp/redacted-CodeSign-Exp-2023-10-06.pfx
• signing file=dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node certificateFile=/Users/runner/work/_temp/redacted-CodeSign-Exp-2023-10-06.pfx
• signing file=dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/darwin-x64+arm64/node.napi.node certificateFile=/Users/runner/work/_temp/redacted-CodeSign-Exp-2023-10-06.pfx
⨯ Exit code: 255. Command failed: /Users/runner/Library/Caches/electron-builder/winCodeSign/winCodeSign-2.6.0/darwin/10.12/osslsigncode -in /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node -out /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi-signed-sha1.node -t http://timestamp.digicert.com -pkcs12 /Users/runner/work/_temp/redacted-CodeSign-Exp-2023-10-06.pfx -h sha1 -n redacted -i https://redacted.example.com/ -pass xxxxxxxxxxxxxxxxx (sha256 hash) file type: /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node
Failed
Unrecognized file type: /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node
Failed
failedTask=build stackTrace=Error: Exit code: 255. Command failed: /Users/runner/Library/Caches/electron-builder/winCodeSign/winCodeSign-2.6.0/darwin/10.12/osslsigncode -in /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node -out /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi-signed-sha1.node -t http://timestamp.digicert.com -pkcs12 /Users/runner/work/_temp/redacted-CodeSign-Exp-2023-10-06.pfx -h sha1 -n redacted -i https://redacted.example.com/ -pass xxxxxxxxxxxxxxxxx (sha256 hash) file type: /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node
Failed
Unrecognized file type: /Users/runner/work/1/s/redacted/dist_electron/win-unpacked/resources/app.asar.unpacked/node_modules/utf-8-validate/prebuilds/linux-x64/node.napi.node
Failed
at /Users/runner/work/1/s/redacted/node_modules/builder-util/src/util.ts:133:18
at ChildProcess.exithandler (node:child_process:427:5)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1091:16)
at Socket.<anonymous> (node:internal/child_process:449:11)
at Socket.emit (node:events:513:28)
at Pipe.<anonymous> (node:net:322:12)
From previous event:
at processImmediate (node:internal/timers:476:21)
From previous event:
at WinPackager.signApp (/Users/runner/work/1/s/redacted/node_modules/app-builder-lib/src/winPackager.ts:407:27)
at WinPackager.doSignAfterPack (/Users/runner/work/1/s/redacted/node_modules/app-builder-lib/src/platformPackager.ts:332:21)
at WinPackager.doPack (/Users/runner/work/1/s/redacted/node_modules/app-builder-lib/src/platformPackager.ts:317:7)
at WinPackager.pack (/Users/runner/work/1/s/redacted/node_modules/app-builder-lib/src/platformPackager.ts:136:5)
at Packager.doBuild (/Users/runner/work/1/s/redacted/node_modules/app-builder-lib/src/packager.ts:442:9)
at executeFinally (/Users/runner/work/1/s/redacted/node_modules/builder-util/src/promise.ts:12:14)
at Packager._build (/Users/runner/work/1/s/redacted/node_modules/app-builder-lib/src/packager.ts:376:31)
at Packager.build (/Users/runner/work/1/s/redacted/node_modules/app-builder-lib/src/packager.ts:337:12)
at executeFinally (/Users/runner/work/1/s/redacted/node_modules/builder-util/src/promise.ts:12:14)
• building block map blockMapFile=dist_electron/redacted-0.9.4846-develop.dmg.blockmap
It seems that https://github.com/electron-userland/electron-builder/pull/7421 introduced automatic code-signing for such modules, but it looks like osslsigncode doesn’t support .node files and will produce Unrecognized file type error when trying to sign.
Is code-signing Windows app on Mac still supported or we should consider splitting our build steps into dedicated pipelines for Mac and Windows?
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 2
- Comments: 48 (6 by maintainers)
Commits related to this issue
- fix(suite-desktop): fix win build by downgrading electron-builder - until https://github.com/electron-userland/electron-builder/issues/7652 is resolved — committed to trezor/trezor-suite by matejkriz a year ago
- fix(suite-desktop): fix win build by downgrading electron-builder - until https://github.com/electron-userland/electron-builder/issues/7652 is resolved — committed to trezor/trezor-suite by matejkriz a year ago
- fix(suite-desktop): fix win build by downgrading electron-builder - until https://github.com/electron-userland/electron-builder/issues/7652 is resolved (cherry picked from commit f3388b0c8f7c2e3a114... — committed to trezor/trezor-suite by matejkriz a year ago
- fix(suite-desktop): fix win build by downgrading electron-builder - until https://github.com/electron-userland/electron-builder/issues/7652 is resolved (cherry picked from commit f3388b0c8f7c2e3a114... — committed to trezor/trezor-suite by matejkriz a year ago
AFAICT, the packager class doesn’t have access to what architecture or target it is packaging for during the signing stage, it just runs blindly the same flow. I took a look earlier on how to prune binaries for other architectures, but I couldn’t find a way to do so.
I’m okay with default skip
.nodefiles to return back to previously working functionality. The WDAC sign-all requirement can be considered supplemental and require the user/developer adding.nodeto thesignExtsarray.Alriiiiight, electron/rebuild migration has been reverted. Please try v24.6.1 🤞
Okay, I’m going to attempt reverting the electron/rebuild migration in a new PR. I’m struggling to find a way to create a native module dependency mapping that I can execute the prebuild-install cli on for each native module. From another github comment, the need for electron/rebuild due to Cxx flags may no longer be needed? It appears that may be the case since you’re using electron 24 with electron-builder v23.
Just to continue checking all my bases, what changes in v24 do you need that aren’t in v23? (i.e. is it requiring electron/rebuild integration?)
@mmaietta Managed to successfully upgrade to Electron v25 using the latest Electron Builder. Thanks once again for your help.
Please try v24.6.3
Tried upgrading to
24.6.2but still experiencing the same issue. Maybe it’s something else on my side.Can anyone confirm if their builds are working after the upgrade?
Hey @mmaietta, thanks for the communication. Here is a clean project with just
ffi-napiinstalled using24.4.0.We are also seeing this issue in
24.xof Electron Builder. The issue seems to be that Electron Builder now leaves all*.nodeprebuilds for every platform in the distribution package. The prebuilds should be filtered so that only prebuilds that match the target platform/architecture are in the distribution package.