Not signed binary files in package for Windows

[gemiusz]

Is this a Feature or Bug?

Security improvement.

Current behavior:

Windows binary files aren't signed by your certificate - easier for malware to "be Cypress".
In some organisations only signed exe files can be allowed to use.

Desired behavior:

Signed binary files in package for Windows.

Steps to reproduce:

None :)

Versions

Cypress 3.1.0
Windows 10

[Saibamen]

Any update?

[jennifer-shehane]

No work has been done on this issue

[jennifer-shehane]

Since this issue hasn't had activity in a while, we'll close the issue until we can confirm this is still happening. Please comment if there is new information to provide concerning the original issue and we'd be happy to reopen.

[minijus]

@jennifer-shehane would it be possible to reopen this issue?

Our organisation is exactly such as described:

In some organisations only signed exe files can be allowed to use.

Please let me know if there is any help needed with requirements gathering. The release process does not seem to be open sourced, so it will not be possible to contribute with actual change, I guess.

Edit:
It seems Mac binary was affected by similar issue #5791 and it was solved by #6013.
@bahmutov @brian-mann would it be possible to configure electron-builder to code sign Windows app as well? Would you be accepting PRs for this?

[jennifer-shehane]

@minijus We would be open to accepting PRs for this if it's not too heavy of a lift by our team to finish. I remember the signing of the Mac binary was not a simple task, it ended up taking months, but maybe it will be easier since we already set that up. We would need the process automated in a similar way.

[minijus]

Just did a quick verification of passing needed data to electron-builder as per Code Signing documentation.

It seems that setting WIN_CSC_LINK and WIN_CSC_KEY_PASSWORD is enough to produce signed binaries.
After running yarn binary-build in local workspace with env variables mentioned above:

In order to continue Cypress should acquire Code Signing certificate, add it to CI system and 🥳.

Update:
@jennifer-shehane could Cypress have internal discussion to buy code signing certificate (~400 $/yr)?

[jennifer-shehane]

The error when attempting to run cypress open in this situation where orgs only allow signed exe to be used shows like below from #16670 (comment):

Cypress failed to start

...

Command failed with UNKNOWN
spawn UNKNOWN

[cypress-bot]

The code for this is done in cypress-io/cypress#16946, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

[cypress-bot]

Released in 7.6.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v7.6.0, please open a new issue.