Update Windows configuration to remove AppX ambiguity #3239
Conversation
...The default configuration should build it already
And properly fail if something goes wrong. This will prevent silent failure like the one in https://buildkite.com/automattic/simplenote-electron/builds/174#0190e36e-b92e-4c7d-a6aa-7c26a02197b0/233-243
|
@codebykat @roundhill I wanted to add additional details on the implementation in the PR description but I run out of time today. Here's a ping to have a look and maybe test the |
|
The .x64 exe worked great for me on Windows 10. I tried installing the .appx but it said there was a code sign error, which I assume is because that has to be done on the Partner Center Portal? |
Correct @roundhill . The AppX are explicitly not signed by CI and we the Partner Center do that for us. |
mokagio
changed the title
| @npx electron-builder --win -p $(PUBLISH) | ||
| ifeq ($(IS_WINDOWS),true) |
There was a problem hiding this comment.
I decided to remove the platform check under the assumption these will mostly run in CI.
I'm not aware of any requirement for building Windows on a non Windows machine either.
This way, the script is simpler to understand.
Makefile
Outdated
| @echo Packaging .appx as well... | ||
| @echo "Packaging appx with dedicated configuration to work around code signing conflicts..." |
There was a problem hiding this comment.
A tiny attempt of help future readers understand the need for the dedicated config
| "afterSign": "./after_sign_hook.js", | ||
| "afterAllArtifactBuild": "./after_sign_hook.js" |
There was a problem hiding this comment.
Notice that these were the same script. If you look into it, the only thing it does is notarizing for macOS. I decided to remove it to keep the config as small as possible.
There was a problem hiding this comment.
To check my understanding of this file: it's fine to remove the calls to the after_sign_hook.js script because they only do macOS notarization and this file only deals with the Windows AppX build, correct?
There was a problem hiding this comment.
@spencertransier correct
| }, | ||
| { | ||
| "target": "appx", | ||
| "arch": ["ia32", "x64"] | ||
| } |
There was a problem hiding this comment.
@mokagio I was about to suggest adding some comments to mention that the .appx is instead generated with a custom config via make package-win32 so it's properly code-signed, + link to this PR's description for the breadcrumbs…
…but then I just realized this is a .json file, which doesn't accept comments 😢
That being said, it seems that electron-builder supports configuration files in YAML (or js) format. So WDYT of migrating the project to a electron-builder.yml file instead of .json in a future PR, so we can start adding such comments to it?
There was a problem hiding this comment.
Sure, 100% agree. I thought I had written it somewhere as a TODO myself, but I couldn't find a reference to share here.
Every time I see a JSON used for config these days my first instinct is to ask if we can make it into a YAML. Being able to comment and use anchors and aliases makes the config work simpler.
Co-authored-by: Olivier Halligon <[email protected]>
What this does
In hindsight, it sounds pretty simple... This fix removes the
appxnode from the default configuration,electron-builder.json, so that CI generates only one set ofappxfiles. Theappxare then generated using a dedicated configuration. More on that later.If you check the logs for the
v2.22.1build, you'll notice that two pairs ofappxare being built. First as part of thenpx electron-builder --wincall which useselectron-builder.json...:...then from the
npx electron-builder --win --config=electron-builder-appx.jsoncall:You'll also notice that the first
appxare code signed while the last are not. This sent me down a bit of a rabbit hole, more on that later, too.So, it turns out that the code signing was not strictly broken, it just so happened that I downloaded the wrong
appxartifacts from the release... 🤦♂️ That's an error only on my part, as our process checklist clearly states to download the ones withwin-storein the name.About code signing AppX
The short story is: We don't need to code sign AppX if we want to upload them to the Microsoft Partner Center. Upon uploading, Microsoft signs them for us. See also https://www.electron.build/configuration/appx#appx-package-code-signing.
Things got confusing when in the migration between CircleCI and Buildkite I made use of the certificate with publisher
CN="Automattic, Inc.", O="Automattic, Inc.", S=California, C=USwhere before we were usingCN=E2E5A157-746D-4B04-9116-ABE5CB928306.So, even though I was able to code sign the
appxwith the new certificates (despite code siging being unnecessary, which I only learned afterwards) Microsoft rejected them because of the mismatch between the expected publisher.About using two configurations
The reason for this setup is that, as far as I able to find, the configuration required to generate a code signed
exevia thensistarget will conflict theappxconfiguration.You can see the various experiments I went through to try and make both configurations play well together in #3235.
In practice,
"certificateSubjectName": "Automattic, Inc."is required to sign theexe— which we need for it to run without looking dodgy, given it is distributed outside the store – but if that setting is present and so are theappxsettings, there will be a failure, e.g. https://buildkite.com/automattic/simplenote-electron/builds/176#0190e45b-0298-4168-b47c-6e2aef7caec3, similar to what is reported in electron-userland/electron-builder#6698As a personal note, I wish I'd been smarter and dig into why we had two configurations sooner. Also worth noting that WordPress Desktop also uses this approach, and I knew it, too, use
electron-builder. The fact that two projects use the same odd configuration setup would have pointed more clearly to the config incompatibility."Proof" that it works
Here's a screenshot of the Partner Center where the
appxpackages from the latest build in this branch have passed validation:And here is a screenshot of my Windows VM where the
exefrom the same build passes the Edge safety check etc.Where to go from here
Things I'd like to look into:
maketask output)electron-builderside, as well as the configuration hierarchy that results in the clash. Maybe there is a reason, but I don't see why we cannot set code sining settings at thensislevel so that only theexewill code sign, instead of havingcertificateSubjectNamein thewinroot and resulting in it code signing theappx, tooelectron-builder.jsonappxsettings