Checksum mismatch after code sign Electron Builder / Updater

1
votes

After running electron-builder for Windows / NSIS during a build process, our dev-ops team set a build script that runs to code sign the exe before deployment. After it gets to the server, electron-updater fails with a sha512 checksum mismatch (which the error occurs during the install, after it has been fully downloaded). I have also tried pulling the exe file down from the server and running a codesign util from Visual Studio CMD, and then re-uploading. The auto updater also fails with the same error.

Is it not possible to sign the exe after it has been generated, and to still allow for the auto updater to work?

Signing:

signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 value "path"

Log:

Error: sha512 checksum mismatch, expected [value], got [different value]

Configuration in package.json:

"build": {
    "appId": "com.stripped.stripped.stripped",
    "directories": {
        "output": "dist-exe",
        "app": "dist"
    },
    "win": {
        "target": "nsis",
        "icon": "dist/assets/favicon/favicon-256x256.ico",
        "verifyUpdateCodeSignature": false,
        "publish": {
            "provider": "generic",
            "url": "##{ElecronAppUpdaterLocation}##"
        }
    },
    "nsis": {
        "artifactName": "Setup_${version}.${ext}",
        "installerIcon": "dist/assets/favicon/favicon-256x256.ico",
        "installerHeaderIcon": "dist/assets/favicon/favicon-256x256.ico"
    }
}
2
electroncode-signingelectron-builder

2 Answers

3
votes

If anyone still looking for manually generating electron checksum, you can use the script mentioned here https://github.com/electron-userland/electron-builder/issues/3913#issuecomment-504698845

I have tested it and it works fine, Electron was able to update the app to the version with the manually generated checksum.

const path = require('path');
const fs = require('fs');
const crypto = require('crypto');

const YOUR_FILE_PATH = '';  //  POPULATE THIS

function hashFile(file, algorithm = 'sha512', encoding = 'base64', options) {
  return new Promise((resolve, reject) => {
    const hash = crypto.createHash(algorithm);
    hash.on('error', reject).setEncoding(encoding);
    fs.createReadStream(
      file,
      Object.assign({}, options, {
        highWaterMark: 1024 * 1024,
        /* better to use more memory but hash faster */
      })
    )
      .on('error', reject)
      .on('end', () => {
        hash.end();
        console.log('hash done');
        console.log(hash.read());
        resolve(hash.read());
      })
      .pipe(
        hash,
        {
          end: false,
        }
      );
  });
}

const installerPath = path.resolve(
  __dirname,
  YOUR_FILE_PATH
);

hashFile(installerPath);
0
votes

Per the response to the issue on electron-builder in GH, this is not allowed to be signed after generated, which unfortunately changes our build process.