Fix: Windows installers ship unsigned application EXE and DLLs#520
Fix: Windows installers ship unsigned application EXE and DLLs#520
Conversation
… installers Agent-Logs-Url: https://github.com/PowerPlatformToolBox/desktop-app/sessions/1c00549d-1aa5-4784-be1b-0fc190cf013e Co-authored-by: Power-Maverick <36135520+Power-Maverick@users.noreply.github.com>
Bundle Size Report 📦
Bundle Analysis ReportsThe detailed bundle analysis reports are available in the workflow artifacts:
Download the artifacts from the workflow run to view interactive visualizations. Bundle size tracking is now active! This helps prevent bundle bloat. |
There was a problem hiding this comment.
Pull request overview
Updates the Windows release workflows to ensure the installed application binaries (EXE + DLLs) are signed before NSIS/MSI installers are assembled, addressing the issue where installers were shipping with unsigned embedded app binaries.
Changes:
- Adjust Windows release jobs to build an unpacked app directory, sign EXE/DLLs recursively, then build installers from the pre-signed directory and sign the installer wrappers.
- Remove the prior “repackage portable ZIP” workaround since ZIPs are now produced from the pre-signed
--prepackageddirectory. - Update signing documentation to describe the new multi-phase signing flow.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
docs/azure-trusted-signing.md |
Documents the updated multi-phase signing approach for Windows artifacts. |
.github/workflows/prod-release.yml |
Implements the new Windows build/sign/package/sign workflow for stable releases. |
.github/workflows/nightly-release.yml |
Implements the same Windows build/sign/package/sign workflow for insider/nightly releases. |
Power-Maverick
added
the
unit-testing
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Bundle Size Report 📦
Bundle Analysis ReportsThe detailed bundle analysis reports are available in the workflow artifacts:
Download the artifacts from the workflow run to view interactive visualizations. Bundle size tracking is now active! This helps prevent bundle bloat. |
|
@copilot apply changes based on the comments in this thread. Also got error "No files were found to sign" under step "Sign app binaries using Azure Trusted Signing" - it may be related to the PR comment |
Agent-Logs-Url: https://github.com/PowerPlatformToolBox/desktop-app/sessions/41781746-20f4-4a83-949e-dec4147c6056 Co-authored-by: Power-Maverick <36135520+Power-Maverick@users.noreply.github.com>
Fixed in 8f02025. The "No files were found to sign" error was caused by an incorrect unpacked directory path — electron-builder outputs Changes applied:
|
NSIS and MSI installers embedded an unsigned
Power Platform ToolBox.exebecause signing ran after electron-builder had already assembled the installers. The portable ZIP was patched by a repackage workaround, but the installed app binary remained unsigned.Changes
Three-phase Windows signing (
prod-release.yml,nightly-release.yml)--dir --x64/--dir --arm64produces the unpacked app directory before any installer is assembled.exeand.dllfiles (adds DLL signing per issue requirements)--prepackagedbuilds NSIS/MSI/MSIWrapped/ZIP from the already-signed directory; a second (non-recursive) signing pass then authenticates the top-level installer.exe/.msifilesCleanup
--prepackageddirectorywin_arch: x64 / arm64matrix property for canonical--dirflag usagewin_unpacked_dirmatrix property with the correct electron-builder output paths (win-unpackedfor x64,win-arm64-unpackedfor arm64) — fixes "No files were found to sign" error caused by incorrect path assumptionDocs
Updated
docs/azure-trusted-signing.mdto document the three-phase approach with correct unpacked directory pathsUse a meaningful title for the pull request.
Follow the guidelines from the CONTRIBUTING.md.
Mention the bug or the feature number the PR will be targeting.
Test the change in your own code. (Compile and run)
Resolve all GH Copilot comments.