From 15280fb42ce75f6d25a41659fc786d35ee080d8d Mon Sep 17 00:00:00 2001 From: Darshan Sen Date: Wed, 22 Feb 2023 14:04:16 +0530 Subject: [PATCH] doc: add steps about signing the binary in single-executable docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We didn't catch this in https://github.com/nodejs/node/pull/45038 because the binary wasn't signed by default unlike the official Node.js binary, which is signed by the Node.js Foundation identity by default. Refs: https://github.com/nodejs/postject/issues/76 (macOS arm64 part only) Fixes: https://github.com/nodejs/postject/issues/75 Signed-off-by: Darshan Sen PR-URL: https://github.com/nodejs/node/pull/46764 Reviewed-By: Michaƫl Zasso Reviewed-By: Colin Ihrig Reviewed-By: Michael Dawson Reviewed-By: James M Snell --- doc/api/single-executable-applications.md | 40 +++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/doc/api/single-executable-applications.md b/doc/api/single-executable-applications.md index 5933ae98b1cd73..584541588162c9 100644 --- a/doc/api/single-executable-applications.md +++ b/doc/api/single-executable-applications.md @@ -39,7 +39,24 @@ tool, [postject][]: $ cp $(command -v node) hello ``` -3. Inject the JavaScript file into the copied binary by running `postject` with +3. Remove the signature of the binary: + + * On macOS: + + ```console + $ codesign --remove-signature hello + ``` + + * On Windows (optional): + + [signtool][] can be used from the installed [Windows SDK][]. If this step is + skipped, ignore any signature-related warning from postject. + + ```console + $ signtool remove /s hello + ``` + +4. Inject the JavaScript file into the copied binary by running `postject` with the following options: * `hello` - The name of the copy of the `node` executable created in step 2. @@ -67,7 +84,24 @@ tool, [postject][]: --macho-segment-name NODE_JS ``` -4. Run the binary: +5. Sign the binary: + + * On macOS: + + ```console + $ codesign --sign - hello + ``` + + * On Windows (optional): + + A certificate needs to be present for this to work. However, the unsigned + binary would still be runnable. + + ```console + $ signtool sign /fd SHA256 hello + ``` + +6. Run the binary: ```console $ ./hello world Hello, world! @@ -138,9 +172,11 @@ to help us document them. [ELF]: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format [Mach-O]: https://en.wikipedia.org/wiki/Mach-O [PE]: https://en.wikipedia.org/wiki/Portable_Executable +[Windows SDK]: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ [`process.execPath`]: process.md#processexecpath [`require()`]: modules.md#requireid [`require.main`]: modules.md#accessing-the-main-module [fuse]: https://www.electronjs.org/docs/latest/tutorial/fuses [postject]: https://github.com/nodejs/postject +[signtool]: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool [single executable applications]: https://github.com/nodejs/single-executable