You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add per-cell signature gates that run after the build and before upload, so a
bad signature fails the cell instead of publishing an artifact we only assume
is signed. Each gate is placed where a failure is still fixable — in CI, on the
build that produced it — rather than surfacing downstream at a store upload or
on a user's machine:
- installers: signtool verify /pa (validity + trust chain + timestamp) on each
Setup.exe and the MSI, plus a signer-identity check that it's our cert.
- appx: assert the packages are NOT signed — the Microsoft Store re-signs during
certification, so this catches the inverse regression.
- dmg: mount the image and validate the .app inside (stapler validate + spctl
--assess --type execute). electron-builder staples the .app, not the dmg
container, so the app is what carries the ticket and what Gatekeeper checks.
- mas: pkgutil confirms the package is signed with Apple distribution certs,
catching a broken signing/match setup before App Store Connect upload. No
spctl here — MAS distribution certs aren't Gatekeeper-valid for direct launch.
- mas-dev: codesign validity plus an embedded development provisioning profile,
the two things a sandboxed MAS build needs to launch on a registered device.
These are automated regression gates, not a replacement for on-device checks
(SmartScreen reputation, UAC publisher string, ARM64 native execution).
0 commit comments