feat: Provide a custom verify function interface in NsisUpdater

[beyondkmp]

Replace the PowerShell with a native verify signature module， but not all users will have access to a Windows build machine if their project does not currently require a native module. For instance, compiling with Wine on linux/docker would no longer work.

Providing a custom verify function interface, if the user want to use native verify module, they can pass it and they need to have an access to a windows build machine. If they don't pass it, will use the default verify signature function(https://github.com/electron-userland/electron-builder/blob/master/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts).

Interface

/**
   * The verifyUpdateCodeSignature. You can pass [win-verify-signature](https://github.com/beyondkmp/win-verify-trust) or another custom verify function: ` (publisherName: string[], path: string) => Promise<string | null>`.
   * The default verify function uses [windowsExecutableCodeSignatureVerifier](https://github.com/electron-userland/electron-builder/blob/master/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts)
   */
// return null if verify signature succeed
// return error message if verify signature failed
export type verifyUpdateCodeSignature = (publisherName: string[], path: string) => Promise<string | null>

Example

import { NsisUpdater } from "electron-updater"
import { verifySignatureByPublishName } from "win-verify-signature"
// Or MacUpdater, AppImageUpdater
export default class AppUpdater {
    constructor() {
        const options = {
            requestHeaders: {
                // Any request headers to include here
            },
            provider: 'generic',
            url: 'https://example.com/auto-updates'
        }
        const autoUpdater = new NsisUpdater(options)
        autoUpdater.verifyUpdateCodeSignature = (publisherName: string[], path: string) => {
            const result = verifySignatureByPublishName(path, publisherName);
            if(result.signed) return Promise.resolve(null);
            return Promise.resolve(result.message);
        }
        autoUpdater.addAuthHeader(`Bearer ${token}`)
        autoUpdater.checkForUpdatesAndNotify()
    }
}

[changeset-bot]

🦋 Changeset detected

Latest commit: e9295e6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
electron-updater	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[netlify]

✅ Deploy Preview for car-park-attendant-cleat-11576 ready!

Name	Link
🔨 Latest commit	e9295e6
🔍 Latest deploy log	https://app.netlify.com/sites/car-park-attendant-cleat-11576/deploys/63b681422eeff200083d2041
😎 Deploy Preview	https://deploy-preview-7337--car-park-attendant-cleat-11576.netlify.app/configuration/win
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[beyondkmp]

Maybe we need a separate note in that PR's Markdown Docs to call out this awesome enhancement?

Could I add the example to slow-avocados-carry.md ?

import { NsisUpdater } from "electron-updater"
import { verifySignatureByPublishName } from "win-verify-signature"
// Or MacUpdater, AppImageUpdater

export default class AppUpdater {
    constructor() {
        const options = {
            requestHeaders: {
                // Any request headers to include here
            },
            provider: 'generic',
            url: 'https://example.com/auto-updates'
        }

        const autoUpdater = new NsisUpdater(options)
        autoUpdater.verifyUpdateCodeSignature = (publisherName: string[], path: string) => {
            const result = verifySignatureByPublishName(path, publisherName);
            if(result.signed) return Promise.resolve(null);
            return Promise.resolve(result.message);
        }
        autoUpdater.addAuthHeader(`Bearer ${token}`)
        autoUpdater.checkForUpdatesAndNotify()
    }
}

[mmaietta]

slow-avocados-carry.md is specifically for the release automation to pick up a PR for auto-publishing to npm. So let's keep that file as-is.

Your example provided looks great though. Perhaps we could add it to the Common Questions for Windows configuration?
https://github.com/electron-userland/electron-builder/blob/master/docs/configuration/win.md

I can't seem to find any other docs specifically on auto-update configuration, just for publishers but not the AppUpdater itself? (Maybe I need to create a separate Page just for that in the future?)

[beyondkmp]

I have added the example to win.md. Please help check it.

[rasgo-cc]

Any chance we could get a bit more info on how this can be implemented?
I currently use the "default" autoUpdater, like this:

import { autoUpdater } from "electron-updater";

How could this be implemented with the "default" updater?

[mmaietta]

@rasgo-cc I think this should help you
https://www.electron.build/configuration/win#how-do-use-a-custom-verify-function-to-enable-nsis-signature-verification-alternatives-instead-of-powershell