From 9c0c422834369f42b311b5d9ecd301f8b50bccfa Mon Sep 17 00:00:00 2001 From: beyondkmp Date: Sat, 7 Jan 2023 01:18:27 +0800 Subject: [PATCH] feat: Provide a custom verify function interface in NsisUpdater for native verification of nsis signatures (#7337) --- .changeset/slow-avocados-carry.md | 5 +++ docs/configuration/win.md | 43 ++++++++++++++++++++ packages/electron-updater/src/NsisUpdater.ts | 21 +++++++++- packages/electron-updater/src/main.ts | 5 +++ 4 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 .changeset/slow-avocados-carry.md diff --git a/.changeset/slow-avocados-carry.md b/.changeset/slow-avocados-carry.md new file mode 100644 index 00000000000..b94453582b1 --- /dev/null +++ b/.changeset/slow-avocados-carry.md @@ -0,0 +1,5 @@ +--- +"electron-updater": minor +--- + +feat: Provide a custom verify function interface to enable nsis signature verification alternatives instead of powershell diff --git a/docs/configuration/win.md b/docs/configuration/win.md index 23579699a51..e4555ee1985 100644 --- a/docs/configuration/win.md +++ b/docs/configuration/win.md @@ -58,6 +58,49 @@ exports.default = async function(configuration) { } ``` +#### How do use a custom verify function to enable nsis signature verification alternatives instead of powershell? + +Use the `verifyUpdateCodeSignature` interface: + +```js +/** +* return null if verify signature succeed +* return error message if verify signature failed +*/ +export type verifyUpdateCodeSignature = (publisherName: string[], path: string) => Promise +``` + +Pass a custom verify function to the nsis updater. For example, if you want to use a native verify function, you can use [win-verify-signature](https://github.com/beyondkmp/win-verify-trust). + + +```js +import { NsisUpdater } from "electron-updater" +import { verifySignatureByPublishName } from "win-verify-signature" +// Or MacUpdater, AppImageUpdater + +export default class AppUpdater { + constructor() { + const options = { + requestHeaders: { + // Any request headers to include here + }, + provider: 'generic', + url: 'https://example.com/auto-updates' + } + + const autoUpdater = new NsisUpdater(options) + autoUpdater.verifyUpdateCodeSignature = (publisherName: string[], path: string) => { + const result = verifySignatureByPublishName(path, publisherName); + if(result.signed) return Promise.resolve(null); + return Promise.resolve(result.message); + } + autoUpdater.addAuthHeader(`Bearer ${token}`) + autoUpdater.checkForUpdatesAndNotify() + } +} +``` + + #### How do create Parallels Windows 10 Virtual Machine? !!! warning "Disable "Share Mac user folders with Windows"" diff --git a/packages/electron-updater/src/NsisUpdater.ts b/packages/electron-updater/src/NsisUpdater.ts index 766ec4892c9..c509ed3f0a1 100644 --- a/packages/electron-updater/src/NsisUpdater.ts +++ b/packages/electron-updater/src/NsisUpdater.ts @@ -6,7 +6,7 @@ import { BaseUpdater, InstallOptions } from "./BaseUpdater" import { DifferentialDownloaderOptions } from "./differentialDownloader/DifferentialDownloader" import { FileWithEmbeddedBlockMapDifferentialDownloader } from "./differentialDownloader/FileWithEmbeddedBlockMapDifferentialDownloader" import { GenericDifferentialDownloader } from "./differentialDownloader/GenericDifferentialDownloader" -import { DOWNLOAD_PROGRESS, ResolvedUpdateFileInfo } from "./main" +import { DOWNLOAD_PROGRESS, ResolvedUpdateFileInfo, verifyUpdateCodeSignature } from "./main" import { blockmapFiles } from "./util" import { findFile, Provider } from "./providers/Provider" import { unlink } from "fs-extra" @@ -25,6 +25,23 @@ export class NsisUpdater extends BaseUpdater { super(options, app) } + protected _verifyUpdateCodeSignature: verifyUpdateCodeSignature = (publisherNames: Array, unescapedTempUpdateFile: string) => + verifySignature(publisherNames, unescapedTempUpdateFile, this._logger) + + /** + * The verifyUpdateCodeSignature. You can pass [win-verify-signature](https://github.com/beyondkmp/win-verify-trust) or another custom verify function: ` (publisherName: string[], path: string) => Promise`. + * The default verify function uses [windowsExecutableCodeSignatureVerifier](https://github.com/electron-userland/electron-builder/blob/master/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts) + */ + get verifyUpdateCodeSignature(): verifyUpdateCodeSignature { + return this._verifyUpdateCodeSignature + } + + set verifyUpdateCodeSignature(value: verifyUpdateCodeSignature) { + if (value) { + this._verifyUpdateCodeSignature = value + } + } + /*** @private */ protected doDownloadUpdate(downloadUpdateOptions: DownloadUpdateOptions): Promise> { const provider = downloadUpdateOptions.updateInfoAndProvider.provider @@ -101,7 +118,7 @@ export class NsisUpdater extends BaseUpdater { } throw e } - return await verifySignature(Array.isArray(publisherName) ? publisherName : [publisherName], tempUpdateFile, this._logger) + return await this._verifyUpdateCodeSignature(Array.isArray(publisherName) ? publisherName : [publisherName], tempUpdateFile) } protected doInstall(options: InstallOptions): boolean { diff --git a/packages/electron-updater/src/main.ts b/packages/electron-updater/src/main.ts index 064907b9230..f15c0b78936 100644 --- a/packages/electron-updater/src/main.ts +++ b/packages/electron-updater/src/main.ts @@ -138,3 +138,8 @@ export interface Logger { debug?(message: string): void } + +// return null if verify signature succeed +// return error message if verify signature failed + +export type verifyUpdateCodeSignature = (publisherName: string[], path: string) => Promise