mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-14 09:11:54 +00:00
fix(desktop): signAndEditExecutable=false to skip signtool path entirely
After reading app-builder-lib/winPackager.js line 216 + 231 directly:
signAndEditExecutable is the ACTUAL hardcoded gate that short-circuits
both signApp() (which signs Hermes.exe + every shouldSignFile match
including bundled prebuilds) AND createTransformerForExtraFiles().
None of signtoolOptions.sign / sign:null / sign:<custom-fn> gate the
winCodeSign download — that happens before they're consulted.
What we lose: rcedit also runs through signAndEditResources, so
disabling this drops PE metadata (file properties showing 'Hermes' /
'Nous Research' / file description). Cost is real but bounded:
* Hermes.exe filename, icon, asar contents, app identity intact
* Task Manager shows 'Hermes.exe' (the filename) not 'Hermes' (PE
description) — minor downgrade
* Start menu, taskbar, window title all work normally
* SmartScreen will warn once (unsigned, same as before)
When the cert lands, flip signAndEditExecutable back to default true,
both signing AND rcedit return, PE metadata is restored.
Removes the no-op sign function (build-noop-sign.cjs) since
signAndEditExecutable=false prevents signtool from being invoked at
all — the custom hook never gets called either.
This commit is contained in:
emozilla
parent
91bf5ee6b7
commit
060c4f64a8
2 changed files with 1 additions and 31 deletions
|
|
@ -1,28 +0,0 @@
|
|||
// No-op sign function for electron-builder.
|
||||
//
|
||||
// electron-builder's win.signtoolOptions.sign hook lets you BYO signing
|
||||
// logic instead of letting electron-builder fetch signtool from winCodeSign
|
||||
// and run it itself. We don't sign on grandma's box (no cert, no cert
|
||||
// infrastructure, and the bundled node-pty prebuilds are already signed
|
||||
// by their authors upstream).
|
||||
//
|
||||
// By providing this no-op function, electron-builder:
|
||||
// 1. Doesn't try to fetch winCodeSign from GitHub
|
||||
// 2. Doesn't try to extract winCodeSign-2.6.0.7z (which fails on
|
||||
// non-admin Windows due to the darwin/*.dylib symlinks needing
|
||||
// SeCreateSymbolicLinkPrivilege)
|
||||
// 3. Considers every bundled binary "signed" and moves on
|
||||
//
|
||||
// The produced Hermes.exe and its bundled prebuild .exes ship unsigned.
|
||||
// SmartScreen will warn once on first launch ("More info → Run anyway"),
|
||||
// same friction as Hermes-Setup.exe itself. The architecture's signing-
|
||||
// ready: when Nous Research's signing cert lands, replace this file with
|
||||
// a real signtool invocation or @electron/windows-sign-based hook.
|
||||
//
|
||||
// Referenced from package.json's build.win.signtoolOptions.sign.
|
||||
|
||||
module.exports = async function noopSign(_configuration) {
|
||||
// Intentionally do nothing. electron-builder treats a resolved promise
|
||||
// (or non-Error return) as "signing succeeded."
|
||||
return undefined
|
||||
}
|
||||
|
|
@ -201,9 +201,7 @@
|
|||
"nsis",
|
||||
"msi"
|
||||
],
|
||||
"signtoolOptions": {
|
||||
"sign": "./build-noop-sign.cjs"
|
||||
}
|
||||
"signAndEditExecutable": false
|
||||
},
|
||||
"nsis": {
|
||||
"oneClick": false,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue