Signing Windows installer doesn't sign every binary
See original GitHub issue- I have read the contribution documentation for this project.
- I agree to follow the code of conduct that this project follows, as appropriate.
- I have searched the issue tracker for an issue that matches the one I want to file, without success.
Please describe your issue:
It appears that electron-packager and electron-wininstaller do not support signing all of the Windows binaries such as ffmpeg.dll
, libEGL.dll
, and node.dll
; AND the resources/*.asar
. This means that someone could replace the files in resources/*.asar
or the unsigned dll’s with malicious code.
Who is looking into this issue?
Issue Analytics
- State:
- Created 6 years ago
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Release-Signing a Driver Binary through an Embedded ...
The following command line shows how to run SignTool to do the following: Test-sign the 64-bit version of the Toastpkg sample's binary file, ......
Read more >Troubleshooting Driver Signing Installation - Windows drivers
Reboot the system to reload all kernel-mode binaries. After rebooting, open the MMC Computer Management snap-in and view the Code Integrity ...
Read more >Windows Driver Signing Tutorial - Microsoft Learn
This tutorial provides an overview and details the steps to sign driver binaries for Windows in one consolidated location. The following ...
Read more >Driver Signing Policy - Windows - Microsoft Learn
Starting with Windows 10, version 1607, Windows will not load any new kernel-mode drivers which are not signed by the Dev Portal.
Read more >Kernel-Mode Code Signing Requirements - Windows drivers
Starting with Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Microsoft through...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Yes, sadly Windows went fully for the “sign only the executables” where the definition of “executables” has become increasingly out of date. It sounds like the electron/asar library would need to be extended, or a detached signature for the resource/*.asar files be embedded in the electron-builder output.
And as in my situation, the signing would need to be able to be performed by a third party tool.
I’m some what surprised that this issue hasn’t already been raised by any of the other electron application users. I’ve filed https://github.com/electron/asar/issues/123
Asar file cannot be signed using windows tool. File format doesn’t support it simply. Electron should support it, because it is not possible to implement check on application side (since asar files can be changed).
Good news is that on macOS it is possible to fix without Electron team — https://stackoverflow.com/questions/35013006/where-does-codesign-store-the-signature-for-a-signed-text-file-on-osx I will file PR to electron-osx-sign soon (cc @sethlu).