From 78448af062e2ce70c1eb590c05cce01919933e26 Mon Sep 17 00:00:00 2001
From: Mike Maietta <mmaietta@users.noreply.github.com>
Date: Mon, 24 Jul 2023 12:58:24 -0700
Subject: [PATCH] fix: add `signExts` configuration option to not sign `.node`
 files by default (#7685)

---
 .changeset/sharp-jobs-chew.md                     |  5 +++++
 docs/configuration/win.md                         |  3 ++-
 netlify-docs.sh                                   |  3 ++-
 packages/app-builder-lib/scheme.json              | 15 +++++++++++++++
 .../app-builder-lib/src/options/winOptions.ts     |  8 ++++++++
 packages/app-builder-lib/src/winPackager.ts       |  3 ++-
 6 files changed, 34 insertions(+), 3 deletions(-)
 create mode 100644 .changeset/sharp-jobs-chew.md

diff --git a/.changeset/sharp-jobs-chew.md b/.changeset/sharp-jobs-chew.md
new file mode 100644
index 00000000000..b9a1b474d52
--- /dev/null
+++ b/.changeset/sharp-jobs-chew.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: allow explicit configuration on what additional files to sign. Do not sign .node files by default
diff --git a/docs/configuration/win.md b/docs/configuration/win.md
index e4555ee1985..74ebfee06d3 100644
--- a/docs/configuration/win.md
+++ b/docs/configuration/win.md
@@ -31,7 +31,8 @@ The top-level [win](configuration.md#Configuration-win) key contains set of opti
 <li><code id="WindowsConfiguration-verifyUpdateCodeSignature">verifyUpdateCodeSignature</code> = <code>true</code> Boolean - Whether to verify the signature of an available update before installation. The <a href="#publisherName">publisher name</a> will be used for the signature verification.</li>
 <li><code id="WindowsConfiguration-requestedExecutionLevel">requestedExecutionLevel</code> = <code>asInvoker</code> “asInvoker” | “highestAvailable” | “requireAdministrator” | “undefined” - The <a href="https://msdn.microsoft.com/en-us/library/6ad1fshk.aspx#Anchor_9">security level</a> at which the application requests to be executed. Cannot be specified per target, allowed only in the <code>win</code>.</li>
 <li><code id="WindowsConfiguration-signAndEditExecutable">signAndEditExecutable</code> = <code>true</code> Boolean - Whether to sign and add metadata to executable. Advanced option.</li>
-<li><code id="WindowsConfiguration-signDlls">signDlls</code> = <code>false</code> Boolean - Whether to sign DLL files. Advanced option. See: <a href="https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384">https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384</a></li>
+<li tag.description=""><code id="WindowsConfiguration-signDlls">signDlls</code> = <code>false</code> Boolean - Whether to sign DLL files. Advanced option. See: <a href="https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384">https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384</a> Deprecated:</li>
+<li><code id="WindowsConfiguration-signExts">signExts</code> Array&lt;String&gt; | “undefined” - Explicit file extensions to also sign. Advanced option. See: <a href="https://github.com/electron-userland/electron-builder/issues/7329">https://github.com/electron-userland/electron-builder/issues/7329</a></li>
 </ul>
 
 <!-- end of generated block -->
diff --git a/netlify-docs.sh b/netlify-docs.sh
index 4ce11f49fd5..aaddfd93bfe 100644
--- a/netlify-docs.sh
+++ b/netlify-docs.sh
@@ -2,6 +2,7 @@
 pip3 install pipenv
 pipenv install
 echo "Installing pnpm"
-npx pnpm install --store=./node_modules/.pnpm-store
+npm i -g pnpm@latest-7
+pnpm install --store=./node_modules/.pnpm-store
 echo "Building site docs"
 mkdocs build
diff --git a/packages/app-builder-lib/scheme.json b/packages/app-builder-lib/scheme.json
index fca4abbb513..1d450559cdc 100644
--- a/packages/app-builder-lib/scheme.json
+++ b/packages/app-builder-lib/scheme.json
@@ -6340,6 +6340,21 @@
           "description": "Whether to sign DLL files. Advanced option.",
           "type": "boolean"
         },
+        "signExts": {
+          "anyOf": [
+            {
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "default": null,
+          "description": "Explicit file extensions to also sign. Advanced option."
+        },
         "signingHashAlgorithms": {
           "anyOf": [
             {
diff --git a/packages/app-builder-lib/src/options/winOptions.ts b/packages/app-builder-lib/src/options/winOptions.ts
index 60a2d345ae8..980d18b2d12 100644
--- a/packages/app-builder-lib/src/options/winOptions.ts
+++ b/packages/app-builder-lib/src/options/winOptions.ts
@@ -96,8 +96,16 @@ export interface WindowsConfiguration extends PlatformSpecificBuildOptions {
    * Whether to sign DLL files. Advanced option.
    * @see https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384
    * @default false
+   * @deprecated Use `signExts` instead for more explicit control
    */
   readonly signDlls?: boolean
+
+  /**
+   * Explicit file extensions to also sign. Advanced option.
+   * @see https://github.com/electron-userland/electron-builder/issues/7329
+   * @default null
+   */
+  readonly signExts?: string[] | null
 }
 
 export type RequestedExecutionLevel = "asInvoker" | "highestAvailable" | "requireAdministrator"
diff --git a/packages/app-builder-lib/src/winPackager.ts b/packages/app-builder-lib/src/winPackager.ts
index eba83e2ecbc..a6817929cdf 100644
--- a/packages/app-builder-lib/src/winPackager.ts
+++ b/packages/app-builder-lib/src/winPackager.ts
@@ -355,7 +355,8 @@ export class WinPackager extends PlatformPackager<WindowsConfiguration> {
 
   private shouldSignFile(file: string): boolean {
     const shouldSignDll = this.platformSpecificBuildOptions.signDlls === true && file.endsWith(".dll")
-    return shouldSignDll || file.endsWith(".exe") || file.endsWith(".node")
+    const shouldSignExplicit = !!this.platformSpecificBuildOptions.signExts?.some(ext => file.endsWith(ext))
+    return shouldSignDll || shouldSignExplicit || file.endsWith(".exe")
   }
 
   protected createTransformerForExtraFiles(packContext: AfterPackContext): FileTransformer | null {