Sign tool fails on fresh Windows install

[rkirimov]

Squirrel version(s)
version 2.0.1

Description
The build sign fails on fresh Windows install with the following error:

System.AggregateException: One or more errors occurred. ---> System.Exception: Failed to sign, command invoked was: 'D:\jenkins\workspace\PR-3775\node_modules\electron-winstaller\vendor\signtool.exe sign /a /f "D:\loc\cert\cert.p12" /p "****" D:\jenkins\workspace\PR-3775\squirreltemp\tempa\lib\net45\ffmpeg.dll'
at Squirrel.Update.Program.<signPEFile>d__17.MoveNext()
18:25:48  --- End of stack trace from previous location where exception was thrown ---
18:25:48     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
18:25:48     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
18:25:48     at Squirrel.Update.Program.<>c__DisplayClass10_0.<<Releasify>b__14>d.MoveNext()
18:25:48  --- End of stack trace from previous location where exception was thrown ---
18:25:48     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
18:25:48     at Squirrel.Utility.<>c__DisplayClass13_1`1.<<ForEachAsync>b__1>d.MoveNext()
18:25:48     --- End of inner exception stack trace ---
18:25:48     at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
18:25:48     at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
18:25:48     at Squirrel.Update.Program.<>c__DisplayClass10_0.<Releasify>b__7(String pkgPath)
18:25:48     at Squirrel.ReleasePackage.CreateReleasePackage(String outputFile, String packagesRootDir, Func`2 releaseNotesProcessor, Action`1 contentsPostProcessHook)
18:25:48     at Squirrel.Update.Program.Releasify(String package, String targetDir, String packagesDir, String bootstrapperExe, String backgroundGif, String signingOpts, String baseUrl, String setupIcon, Boolean generateMsi, Boolean packageAs64Bit, String frameworkVersion, Boolean generateDeltas)
18:25:48     at Squirrel.Update.Program.executeCommandLine(String[] args)
18:25:48     at Squirrel.Update.Program.main(String[] args)
18:25:48     at Squirrel.Update.Program.Main(String[] args)

This only happens on brand new Windows systems (before jenkins user logs in for the first time). As soon as I log in as jenkins user, the build succeeds. I've been desperately trying to figure out the cause of this behavior and how to fix it.

Do you know what could be causing this behavior?

Steps to recreate

1. Provision a node with fresh Windows install
2. Run sign command D:\jenkins\workspace\PR-3775\node_modules\electron-winstaller\vendor\signtool.exe sign /a /f "D:\loc\cert\cert.p12" /p "****" D:\jenkins\workspace\PR-3775\squirreltemp\tempa\lib\net45\ffmpeg.dll

Expected behavior
File to be signed successfully.

Actual behavior
The command fails with the aforementioned error

[aviz]

Happens to us too.

[anaisbetts]

I'm not sure there is anything Squirrel can do here, we are invoking SignTool.exe from the SDK - if you can't sign executables, you're kinda out of luck. If your company has a Microsoft Support contract I would contact them and see if they can tell you more about this

[caesay]

It's worth noting that the version of signtool.exe which ships with Squirrel is very old - from the Windows 7 SDK. It might be worth trying to replace signtool.exe with a newer version - eg. from the Windows 10 or Windows 11 SDK. My fork of Squirrel has been updated to use v10.0.19041.

[danworley]

I had this exact issue and solved it by setting the SQUIRREL_TEMP environment variable to a directory path that our build process had access to. If you don't set the SQUIRREL_TEMP env var, your process will use the default %LocalAppData%\SquirrelTemp location, which for an Administrator provisioned account that is never used outside of a build process is actually in the reserved system32 directory (C:\Windows\system32\config\systemprofile\AppData\Local\SquirrelTemp). I figured that the signtool.exe process when squirrel runs it, might have problems writing to this directory, so I added the env var to override it, and was then able to once again sign without issue. Hope it helps!