From ce1284b738c75fc7876d7e518fecd8c3ad4d3d5a Mon Sep 17 00:00:00 2001 From: Darshan Sen Date: Wed, 22 Feb 2023 14:04:16 +0530 Subject: [PATCH 1/2] doc: add steps about signing the binary in single-executable docs We didn't catch this in https://github.com/nodejs/node/pull/45038 because the binary wasn't signed by default unlike the official Node.js binary, which is signed by the Node.js Foundation identity by default. Refs: https://github.com/nodejs/postject/issues/76 (macOS arm64 part only) Fixes: https://github.com/nodejs/postject/issues/75 Signed-off-by: Darshan Sen --- doc/api/single-executable-applications.md | 32 +++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/doc/api/single-executable-applications.md b/doc/api/single-executable-applications.md index 0e733ddffbb984..12c4ea17da1838 100644 --- a/doc/api/single-executable-applications.md +++ b/doc/api/single-executable-applications.md @@ -33,7 +33,21 @@ tool, [postject][]: $ cp $(command -v node) hello ``` -3. Inject the JavaScript file into the copied binary by running `postject` with +3. Remove the signature of the binary: + + * On macOS: + + ```console + $ codesign --remove-signature hello + ``` + + * On Windows: + + ```console + $ signtool remove /s hello + ``` + +4. Inject the JavaScript file into the copied binary by running `postject` with the following options: * `hello` - The name of the copy of the `node` executable created in step 2. @@ -61,7 +75,21 @@ tool, [postject][]: --macho-segment-name NODE_JS ``` -4. Run the binary: +5. Sign the binary: + + * On macOS: + + ```console + $ codesign --sign - hello + ``` + + * On Windows: + + ```console + $ signtool sign /fd SHA256 hello + ``` + +6. Run the binary: ```console $ ./hello world Hello, world! From 70effbb736b4e335f38d9e7886290b66ba553f46 Mon Sep 17 00:00:00 2001 From: Darshan Sen Date: Fri, 24 Feb 2023 12:53:50 +0530 Subject: [PATCH 2/2] doc: clarify that signing is optional on Windows Refs: https://github.com/nodejs/node/pull/46764#issuecomment-1441920218 Signed-off-by: Darshan Sen --- doc/api/single-executable-applications.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/doc/api/single-executable-applications.md b/doc/api/single-executable-applications.md index 12c4ea17da1838..fb69681a12c9a7 100644 --- a/doc/api/single-executable-applications.md +++ b/doc/api/single-executable-applications.md @@ -41,7 +41,10 @@ tool, [postject][]: $ codesign --remove-signature hello ``` - * On Windows: + * On Windows (optional): + + [signtool][] can be used from the installed [Windows SDK][]. If this step is + skipped, ignore any signature-related warning from postject. ```console $ signtool remove /s hello @@ -83,7 +86,10 @@ tool, [postject][]: $ codesign --sign - hello ``` - * On Windows: + * On Windows (optional): + + A certificate needs to be present for this to work. However, the unsigned + binary would still be runnable. ```console $ signtool sign /fd SHA256 hello @@ -160,9 +166,11 @@ to help us document them. [ELF]: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format [Mach-O]: https://en.wikipedia.org/wiki/Mach-O [PE]: https://en.wikipedia.org/wiki/Portable_Executable +[Windows SDK]: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ [`process.execPath`]: process.md#processexecpath [`require()`]: modules.md#requireid [`require.main`]: modules.md#accessing-the-main-module [fuse]: https://www.electronjs.org/docs/latest/tutorial/fuses [postject]: https://github.com/nodejs/postject +[signtool]: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool [single executable applications]: https://github.com/nodejs/single-executable