Use postMake hook (#2036)

 > [!NOTE] > Moves Windows code signing to a Forge `postMake` hook and removes the previous MakerSquirrel hook. > > - Adds `postMake` to iterate `makeResults` and sign Windows `.exe` artifacts via `signtool` using `SM_CODE_SIGNING_CERT_SHA1_HASH` > - Introduces `signWindowsExecutable` and `SIGNTOOL_PATH` in `forge.config.ts`; logs and skips when env var is absent > - Simplifies `MakerSquirrel` config (removes `windowsSign`) and deletes `scripts/windows-sign-hook.js` > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 50432058855cce4a688a4be81fb692e705c6db71. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>   ## Summary by cubic Moved Windows code signing to Electron Forge’s postMake hook and now sign all .exe artifacts (installer and Setup.exe) on win32 builds. This ensures consistent signing across architectures and removes the custom MakerSquirrel hook. - **Refactors** - Sign Windows artifacts in postMake using DigiCert’s signtool bundled with electron-winstaller. - Removed MakerSquirrel windowsSign config and scripts/windows-sign-hook.js. - Signing runs only when SM_CODE_SIGNING_CERT_SHA1_HASH is set; otherwise it logs and skips. <sup>Written for commit 50432058855cce4a688a4be81fb692e705c6db71. Summary will update automatically on new commits.</sup>   <h3>Greptile Summary</h3> Refactored Windows code signing from MakerSquirrel's `hookModulePath` approach to Electron Forge's `postMake` hook, consolidating signing logic directly in `forge.config.ts`. **Key Changes:** - Moved signing logic from `scripts/windows-sign-hook.js` to `postMake` hook in `forge.config.ts` - Changed signing scope from only `dyad.exe` to all `.exe` files (Squirrel installer and Setup.exe) - Removed cert hash redaction from logging that was present in the previous implementation - Simplified to use TypeScript instead of CommonJS module **Behavioral Changes:** - The PR reverses commit 9107ec7c which specifically restricted signing to only `dyad.exe` to "avoid signing other files and prevent CI signing errors" - Comment on line 138 indicates signing all `.exe` files is intentional, but this should be verified against the reasoning in the earlier commit <h3>Confidence Score: 3/5</h3> - This PR refactors code signing with a significant behavioral change that needs verification - The refactoring itself is clean and consolidates signing logic appropriately, but it introduces two concerns: (1) expands signing from just `dyad.exe` to all `.exe` files, reversing a previous intentional restriction, and (2) removes cert hash redaction from logs. The intentionality of signing all executables should be confirmed. - Verify `forge.config.ts` line 139 behavior matches intent - signing all .exe files vs only dyad.exe <h3>Important Files Changed</h3> | Filename | Overview | |----------|----------| | forge.config.ts | Moved Windows signing from MakerSquirrel hook to postMake hook, now signs all .exe files instead of just dyad.exe, removed cert hash redaction from logs | | scripts/windows-sign-hook.js | Deleted file - signing logic moved to forge.config.ts postMake hook | </details> <h3>Sequence Diagram</h3> ```mermaid sequenceDiagram participant Forge as Electron Forge participant PM as postMake Hook participant Sign as signWindowsExecutable() participant ST as signtool.exe participant DC as DigiCert Timestamp Forge->>Forge: Run makers (MakerSquirrel, etc) Forge->>PM: Call postMake with makeResults loop For each result in makeResults PM->>PM: Check if platform === "win32" alt Windows platform PM->>PM: Log "Processing Windows artifacts" loop For each artifact PM->>PM: Check if filename ends with .exe alt Is .exe file PM->>Sign: signWindowsExecutable(artifact) Sign->>Sign: Check SM_CODE_SIGNING_CERT_SHA1_HASH env var alt Cert hash not set Sign->>PM: Return (skip signing) else Cert hash set Sign->>Sign: Build signtool command with cert hash Sign->>ST: execSync signtool.exe sign /sha1 [hash] [params] [file] ST->>DC: Request timestamp from timestamp.digicert.com DC->>ST: Return timestamp alt Signing successful ST->>Sign: Success Sign->>PM: Log "Signing successful" else Signing failed ST->>Sign: Error Sign->>PM: Throw error end end end end end end PM->>Forge: Return makeResults ```

Use postMake hook (#2036)
1b2a2746 · Will Chen · GitHub · e7525e02 · 1b2a2746 · e7525e02
--- a/forge.config.ts
+++ b/forge.config.ts
@@ -7,8 +7,45 @@ import { VitePlugin } from "@electron-forge/plugin-vite";
 import { FusesPlugin } from "@electron-forge/plugin-fuses";
 import { FuseV1Options, FuseVersion } from "@electron/fuses";
 import { AutoUnpackNativesPlugin } from "@electron-forge/plugin-auto-unpack-natives";
+import { execSync } from "child_process";
 import path from "path";

+// Path to signtool.exe bundled with electron-winstaller
+// On GitHub Actions, this is the full path:
+// D:\a\dyad\dyad\node_modules\electron-winstaller\vendor\signtool.exe
+const SIGNTOOL_PATH = path.join(
+  __dirname,
+  "node_modules",
+  "electron-winstaller",
+  "vendor",
+  "signtool.exe",
+);
+
+/**
+ * Signs a Windows executable using DigiCert's signtool.
+ */
+function signWindowsExecutable(filePath: string): void {
+  const certHash = process.env.SM_CODE_SIGNING_CERT_SHA1_HASH;
+  if (!certHash) {
+    console.log(
+      `[postMake] SM_CODE_SIGNING_CERT_SHA1_HASH not set, skipping signing`,
+    );
+    return;
+  }
+
+  console.log(`[postMake] Signing: ${filePath}`);
+  const signParams = `/sha1 ${certHash} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256`;
+  const cmd = `"${SIGNTOOL_PATH}" sign ${signParams} "${filePath}"`;
+
+  try {
+    execSync(cmd, { stdio: "inherit" });
+    console.log(`[postMake] Signing successful: ${filePath}`);
+  } catch (error) {
+    console.error(`[postMake] Signing failed for ${filePath}:`, error);
+    throw error;
+  }
+}
+
 // Based on https://github.com/electron/forge/blob/6b2d547a7216c30fde1e1fddd1118eee5d872945/packages/plugin/vite/src/VitePlugin.ts#L124
 const ignore = (file: string) => {
  if (!file) return false;
@@ -85,13 +122,30 @@ const config: ForgeConfig = {
    extraModules: ["better-sqlite3"],
    force: true,
  },
-  makers: [
-    new MakerSquirrel({
-      windowsSign: {
-        debug: true,
-        hookModulePath: path.join(__dirname, "scripts", "windows-sign-hook.js"),
+  hooks: {
+    postMake: async (_forgeConfig, makeResults) => {
+      for (const result of makeResults) {
+        // Only sign Windows artifacts
+        if (result.platform !== "win32") {
+          continue;
+        }
+
+        console.log(
+          `[postMake] Processing Windows artifacts for ${result.arch}`,
+        );
+        for (const artifact of result.artifacts) {
+          const fileName = path.basename(artifact).toLowerCase();
+          // Sign .exe files (the Squirrel installer and Setup.exe)
+          if (fileName.endsWith(".exe")) {
+            signWindowsExecutable(artifact);
+          }
+        }
+      }
+      return makeResults;
    },
-    }),
+  },
+  makers: [
+    new MakerSquirrel({}),
    new MakerZIP({}, ["darwin"]),
    new MakerRpm({}),
    new MakerDeb({

--- a/scripts/windows-sign-hook.js
+++ b/scripts/windows-sign-hook.js
-const { execSync } = require("child_process");
-const path = require("path");
-
-const SIGNTOOL_PATH = path.join(
-  __dirname,
-  "..",
-  "node_modules",
-  "electron-winstaller",
-  "vendor",
-  "signtool.exe",
-);
-
-module.exports = function (filePath) {
-  console.log(`[windows-sign-hook] Called with: ${filePath}`);
-  console.log(`[windows-sign-hook] SIGNTOOL_PATH: ${SIGNTOOL_PATH}`);
-  console.log(
-    `[windows-sign-hook] SM_CODE_SIGNING_CERT_SHA1_HASH: ${process.env.SM_CODE_SIGNING_CERT_SHA1_HASH ? "SET" : "NOT SET"}`,
-  );
-
-  const fileName = path.basename(filePath).toLowerCase();
-  if (fileName !== "dyad.exe") {
-    console.log(`[windows-sign-hook] Skipping: ${fileName}`);
-    return;
-  }
-
-  console.log(`[windows-sign-hook] Signing: ${fileName}`);
-  const certHash = process.env.SM_CODE_SIGNING_CERT_SHA1_HASH;
-  const signParams = `/sha1 ${certHash} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256`;
-  const cmd = `"${SIGNTOOL_PATH}" sign ${signParams} "${filePath}"`;
-  const redactedSignParams = `/sha1 ${certHash ? "[REDACTED]" : "[NOT SET]"} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256`;
-  const redactedCmd = `"${SIGNTOOL_PATH}" sign ${redactedSignParams} "${filePath}"`;
-  console.log(`[windows-sign-hook] Command: ${redactedCmd}`);
-
-  try {
-    execSync(cmd, { stdio: "inherit" });
-    console.log(`[windows-sign-hook] Signing successful`);
-  } catch (error) {
-    console.error(`[windows-sign-hook] Signing failed:`, error);
-    throw error;
-  }
-};