Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: support powershell constrained language mode #7230

Conversation

jeremyspiegel
Copy link
Contributor

@jeremyspiegel jeremyspiegel commented Nov 1, 2022

Fixes #6917

In environments where PowerShell is in Constrained Language Mode, [Convert]::ToBase64String and [System.Text.Encoding]::UTF8.GetBytes won't work.

We're currently converting the output of Get-AuthenticodeSignature -LiteralPath '${tempUpdateFile}' | ConvertTo-Json -Compress to base64 in powershell to get possibly non-ascii data, which would otherwise be output in the current ANSI code page. This workaround was added in #5071, FYI @orzFly @hezhuojie.

I first tried setting PowerShell's [console]::OutputEncoding, but that is also not allowed in Constrained Language Mode. So this fix is to run chcp 65001 > NUL before running powershell.exe. See PowerShell/PowerShell#7233 for more context on this issue.

In order to test that this works with non-ascii certificate subject names, I created a github release signed with a self-signed certificate with a subject name of CN=你好 at https://github.com/jeremyspiegel/electron-updater-powershell-test/releases/tag/v1.0.1. I then added the certificate to my Trusted Root Certificate Authorities and added the following test in test/src/updater/nsisUpdaterTest.ts:

test("github powershell", async () => {
  const updater = await createNsisUpdater("1.0.0")
  updater.updateConfigPath = await writeUpdateConfig<GithubOptions>({
    provider: "github",
    owner: "jeremyspiegel",
    repo: "electron-updater-powershell-test",
    publisherName: ["CN=你好"]
  })
  const updateCheckResult = await updater.checkForUpdates()
  const downloadResult = await updateCheckResult?.downloadPromise
  expect(downloadResult).not.toBeUndefined()
})

In order to test that this works in PowerShell Constrained Language Mode, I created a system environment variable __PSLockDownPolicy=4 and ran the above test.

@changeset-bot
Copy link

changeset-bot bot commented Nov 1, 2022

🦋 Changeset detected

Latest commit: dbece13

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
electron-updater Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@netlify
Copy link

netlify bot commented Nov 1, 2022

Deploy Preview for car-park-attendant-cleat-11576 ready!

Name Link
🔨 Latest commit dbece13
🔍 Latest deploy log https://app.netlify.com/sites/car-park-attendant-cleat-11576/deploys/6361b854bca0aa000853dfa2
😎 Deploy Preview https://deploy-preview-7230--car-park-attendant-cleat-11576.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

windowsExecutableCodeSignatureVerifier fails in PowerShell Constrained Language Mode
2 participants