mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-09 08:21:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(install.ps1): restore Initialize-ElectronBuilderCache (CSC env vars alone aren't enough)

Browse source 
VM run 4 diagnosis: even with CSC_IDENTITY_AUTO_DISCOVERY=false set,
electron-builder still fetches winCodeSign and signs bundled binaries.
The log shows the signing happens BEFORE the cache extraction:

  • signing with signtool.exe  ...\winpty-agent.exe
  • signing with signtool.exe  ...\OpenConsole.exe
  • downloading winCodeSign-2.6.0.7z
  • <symlink privilege error>

Cause: node-pty's bundled prebuilds are listed in apps/desktop's
asarUnpack ['**/*.node', '**/prebuilds/**']. electron-builder
re-signs anything unpacked from asar, regardless of whether OUR
binary gets signed. The signtool invocation needs winCodeSign on
disk, which needs the .7z extracted, which hits the macOS-symlink
crash on non-admin Windows.

The CSC env vars I added in d5fe46727 only kill IDENTITY DISCOVERY
(so OUR Hermes.exe stays unsigned, which is fine — we have no cert).
They don't prevent the toolchain fetch for the bundled-prebuild
re-sign. I removed the pre-extract in d5fe46727 thinking the env
vars subsumed it; that was wrong. Both are needed.

Restoring Initialize-ElectronBuilderCache verbatim from c7e46f9f3
and keeping the CSC env vars. Wrote a clearer doc-comment at the
call site explaining the two-knob interaction so future maintainers
don't drop one half again.
This commit is contained in:
emozilla 2026-05-28 11:17:05 -04:00
parent e2d69ce066
commit 3b29e65c1b
1 changed files with 92 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

92
scripts/install.ps1
View file

@ -1844,6 +1844,87 @@ function Install-NodeDeps {
}
}
function Initialize-ElectronBuilderCache {
# Pre-warm electron-builder's winCodeSign cache so its own extraction
# of the .7z archive never runs.
#
# Why this exists: even when no signing cert is configured (we set
# CSC_IDENTITY_AUTO_DISCOVERY=false below), electron-builder still
# invokes signtool on node-pty's bundled prebuilt binaries
# (winpty-agent.exe, OpenConsole.exe) because they live under
# asarUnpack: ['**/*.node', '**/prebuilds/**'] in apps/desktop's
# package.json. signtool ships inside winCodeSign-2.6.0.7z, so
# electron-builder fetches and extracts the archive.
#
# The archive contains macOS symbolic links under darwin/10.12/lib/
# (libcrypto.dylib + libssl.dylib pointing at versioned siblings).
# Creating symlinks on Windows requires SeCreateSymbolicLinkPrivilege,
# which non-admin accounts on stock Windows don't have. Result:
# 7-Zip exit 2 on every grandma-class box, four retries, then the
# whole build fails.
#
# The fix: do the extraction ourselves with -snl (don't preserve
# symlinks — store as resolved file content) AND -x!darwin (skip
# the macOS subtree entirely — we're building for Windows). With
# the cache directory populated, electron-builder's "is the cache
# present?" check passes and it never runs its own extraction.
#
# Idempotent: fast-path returns if winCodeSign-2.6.0/windows-10/x64/
# signtool.exe already exists. Tooling: uses 7za.exe from the
# 7zip-bin npm dep (which electron-builder itself depends on, so
# it's present after the workspace npm install completed).
$cacheRoot = "$env:LOCALAPPDATA\electron-builder\Cache\winCodeSign"
$extractedDir = "$cacheRoot\winCodeSign-2.6.0"
$sentinel = "$extractedDir\windows-10\x64\signtool.exe"
if (Test-Path $sentinel) {
Write-Info "electron-builder winCodeSign cache already populated"
return
}
$sevenZip = "$InstallDir\node_modules\7zip-bin\win\x64\7za.exe"
if (-not (Test-Path $sevenZip)) {
$sevenZip = "$InstallDir\apps\desktop\node_modules\7zip-bin\win\x64\7za.exe"
}
if (-not (Test-Path $sevenZip)) {
Write-Warn "7za.exe not found in node_modules; electron-builder may fail to extract winCodeSign"
return
}
New-Item -ItemType Directory -Force -Path $cacheRoot | Out-Null
$tmpArchive = "$env:TEMP\hermes-wincodesign-$(Get-Random).7z"
$url = "https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.6.0/winCodeSign-2.6.0.7z"
Write-Info "Pre-extracting winCodeSign (skips electron-builder's broken-on-Windows extraction)..."
try {
Invoke-WebRequest -Uri $url -OutFile $tmpArchive -UseBasicParsing -ErrorAction Stop
} catch {
Write-Warn "Failed to download winCodeSign: $_"
return
}
$prevEAP = $ErrorActionPreference
$ErrorActionPreference = "Continue"
& $sevenZip x -y -bd -snl "-x!darwin" "-o$cacheRoot" $tmpArchive 2>&1 | ForEach-Object { "$_" }
$code = $LASTEXITCODE
$ErrorActionPreference = $prevEAP
Remove-Item -Force $tmpArchive -ErrorAction SilentlyContinue
if ($code -ne 0) {
Write-Warn "Pre-extraction of winCodeSign failed (7-Zip exit $code)"
return
}
if (Test-Path $sentinel) {
Write-Success "winCodeSign cache pre-populated at $extractedDir"
} else {
Write-Warn "winCodeSign extraction completed but expected file is missing: $sentinel"
}
}
function Install-Desktop {
# Build apps/desktop into a launchable Hermes.exe. Only called from
# Stage-Desktop, which is itself only included in the manifest when
@ -1928,6 +2009,17 @@ function Install-Desktop {
}
Pop-Location
# Pre-warm electron-builder's winCodeSign cache. MUST happen after the
# workspace npm install (we need 7za.exe from 7zip-bin) but BEFORE
# `npm run pack` (electron-builder pre-fetches signtool for re-signing
# node-pty's bundled prebuilds; if its own 7-Zip extraction runs first
# we hit the symlink-privilege crash). Belt-and-suspenders with the
# CSC_IDENTITY_AUTO_DISCOVERY env vars below: those kill cert
# discovery (so no signing actually happens to OUR Hermes.exe),
# while the pre-extract handles the toolchain fetch that still fires
# for the bundled-prebuild re-sign. Both are needed.
Initialize-ElectronBuilderCache
# 2. Build apps/desktop. `npm run pack` runs:
# assert-root-install + write-build-stamp + stage-native-deps +
# tsc -b + vite build + electron-builder --dir