From 060c4f64a83295bbed24daab50efc4d2280c7f8f Mon Sep 17 00:00:00 2001 From: emozilla Date: Thu, 28 May 2026 13:14:23 -0400 Subject: [PATCH] fix(desktop): signAndEditExecutable=false to skip signtool path entirely MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After reading app-builder-lib/winPackager.js line 216 + 231 directly: signAndEditExecutable is the ACTUAL hardcoded gate that short-circuits both signApp() (which signs Hermes.exe + every shouldSignFile match including bundled prebuilds) AND createTransformerForExtraFiles(). None of signtoolOptions.sign / sign:null / sign: gate the winCodeSign download — that happens before they're consulted. What we lose: rcedit also runs through signAndEditResources, so disabling this drops PE metadata (file properties showing 'Hermes' / 'Nous Research' / file description). Cost is real but bounded: * Hermes.exe filename, icon, asar contents, app identity intact * Task Manager shows 'Hermes.exe' (the filename) not 'Hermes' (PE description) — minor downgrade * Start menu, taskbar, window title all work normally * SmartScreen will warn once (unsigned, same as before) When the cert lands, flip signAndEditExecutable back to default true, both signing AND rcedit return, PE metadata is restored. Removes the no-op sign function (build-noop-sign.cjs) since signAndEditExecutable=false prevents signtool from being invoked at all — the custom hook never gets called either. --- apps/desktop/build-noop-sign.cjs | 28 ---------------------------- apps/desktop/package.json | 4 +--- 2 files changed, 1 insertion(+), 31 deletions(-) delete mode 100644 apps/desktop/build-noop-sign.cjs diff --git a/apps/desktop/build-noop-sign.cjs b/apps/desktop/build-noop-sign.cjs deleted file mode 100644 index d1ef352db7..0000000000 --- a/apps/desktop/build-noop-sign.cjs +++ /dev/null @@ -1,28 +0,0 @@ -// No-op sign function for electron-builder. -// -// electron-builder's win.signtoolOptions.sign hook lets you BYO signing -// logic instead of letting electron-builder fetch signtool from winCodeSign -// and run it itself. We don't sign on grandma's box (no cert, no cert -// infrastructure, and the bundled node-pty prebuilds are already signed -// by their authors upstream). -// -// By providing this no-op function, electron-builder: -// 1. Doesn't try to fetch winCodeSign from GitHub -// 2. Doesn't try to extract winCodeSign-2.6.0.7z (which fails on -// non-admin Windows due to the darwin/*.dylib symlinks needing -// SeCreateSymbolicLinkPrivilege) -// 3. Considers every bundled binary "signed" and moves on -// -// The produced Hermes.exe and its bundled prebuild .exes ship unsigned. -// SmartScreen will warn once on first launch ("More info → Run anyway"), -// same friction as Hermes-Setup.exe itself. The architecture's signing- -// ready: when Nous Research's signing cert lands, replace this file with -// a real signtool invocation or @electron/windows-sign-based hook. -// -// Referenced from package.json's build.win.signtoolOptions.sign. - -module.exports = async function noopSign(_configuration) { - // Intentionally do nothing. electron-builder treats a resolved promise - // (or non-Error return) as "signing succeeded." - return undefined -} diff --git a/apps/desktop/package.json b/apps/desktop/package.json index 00c7b88d6c..8497b14738 100644 --- a/apps/desktop/package.json +++ b/apps/desktop/package.json @@ -201,9 +201,7 @@ "nsis", "msi" ], - "signtoolOptions": { - "sign": "./build-noop-sign.cjs" - } + "signAndEditExecutable": false }, "nsis": { "oneClick": false,