fix: exclude unsupported node-pty artifacts from windows signing (#3171)

rules/native-modules.md

@@ -7,3 +7,4 @@ Read this when adding Electron native dependencies such as `node-pty`, or any pa
 - Add native runtime packages to `forge.config.ts` `rebuildConfig.extraModules` so Electron Forge rebuilds them against the packaged Electron version.
 - If the package loads helper binaries from disk at runtime (for example `node-pty` loading `spawn-helper` or `winpty-agent` next to its native module), unpack the whole package directory with `packagerConfig.asar.unpackDir`; auto-unpacking `.node` files alone is not enough.
 - Windows release builds using `@electron/windows-sign` recursively try to sign `.ps1` scripts in packaged native dependencies. If a bundled dependency includes helper PowerShell files that are not Authenticode-signable (such as `node-pty`'s `deps/winpty/misc/*.ps1`), remove or exclude them before the Forge signing step or `signtool.exe` will fail with `Number of errors: 2`.
+- Windows signing can also fail on non-Windows native prebuilds that were unpacked into the app bundle. For `node-pty`, strip Darwin-only artifacts such as `prebuilds/darwin-*` and `bin/*` before signing or `signtool.exe` may fail with `This file format cannot be signed because it is not recognized`.

src/__tests__/windows_signing.test.ts

@@ -18,7 +18,7 @@ afterEach(async () => {
 });
 
 describe("removeUnsupportedWindowsSigningFiles", () => {
-  it("removes the node-pty PowerShell scripts that signtool cannot sign", async () => {
+  it("removes node-pty artifacts that Windows signtool should not touch", async () => {
     const buildPath = await fs.mkdtemp(
       path.join(os.tmpdir(), "dyad-windows-signing-"),
     );
@@ -27,9 +27,25 @@ describe("removeUnsupportedWindowsSigningFiles", () => {
     for (const relativePath of UNSUPPORTED_WINDOWS_SIGNING_RELATIVE_PATHS) {
       const absolutePath = path.join(buildPath, relativePath);
       await fs.mkdir(path.dirname(absolutePath), { recursive: true });
-      await fs.writeFile(absolutePath, "Write-Host 'hello'\n");
+
+      if (path.extname(relativePath)) {
+        await fs.writeFile(absolutePath, "Write-Host 'hello'\n");
+      } else {
+        await fs.mkdir(absolutePath, { recursive: true });
+        await fs.writeFile(
+          path.join(absolutePath, "placeholder.node"),
+          "not-a-windows-binary",
+        );
+      }
     }
 
+    const supportedWindowsBinary = path.join(
+      buildPath,
+      "node_modules/node-pty/prebuilds/win32-x64/pty.node",
+    );
+    await fs.mkdir(path.dirname(supportedWindowsBinary), { recursive: true });
+    await fs.writeFile(supportedWindowsBinary, "windows-binary");
+
     await removeUnsupportedWindowsSigningFiles(buildPath);
 
     await Promise.all(
@@ -39,5 +55,9 @@ describe("removeUnsupportedWindowsSigningFiles", () => {
         ).rejects.toThrow();
       }),
     );
+
+    await expect(fs.readFile(supportedWindowsBinary, "utf8")).resolves.toBe(
+      "windows-binary",
+    );
   });
 });

src/lib/windows_signing.ts

@@ -4,6 +4,9 @@ import path from "node:path";
 export const UNSUPPORTED_WINDOWS_SIGNING_RELATIVE_PATHS = [
   "node_modules/node-pty/deps/winpty/misc/ConinMode.ps1",
   "node_modules/node-pty/deps/winpty/misc/IdentifyConsoleWindow.ps1",
+  "node_modules/node-pty/prebuilds/darwin-arm64",
+  "node_modules/node-pty/prebuilds/darwin-x64",
+  "node_modules/node-pty/bin",
 ] as const;
 
 export async function removeUnsupportedWindowsSigningFiles(
@@ -12,7 +15,7 @@ export async function removeUnsupportedWindowsSigningFiles(
   await Promise.all(
     UNSUPPORTED_WINDOWS_SIGNING_RELATIVE_PATHS.map(async (relativePath) => {
       const absolutePath = path.join(buildPath, relativePath);
-      await fs.rm(absolutePath, { force: true });
+      await fs.rm(absolutePath, { force: true, recursive: true });
     }),
   );
 }