Fixed Bad exe issue#2668
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request updates the Windows SEA executable build pipeline to avoid producing invalid/corrupted .exe outputs by stripping (or disabling) any existing Authenticode signature from the copied Node.js binary before injecting the SEA blob.
Changes:
- Added a
removeAuthenticodeSignature()helper to clear the PE security directory entry and (when possible) truncate the certificate table. - Updated the Windows SEA build flow to call
removeAuthenticodeSignature()immediately after copyingprocess.execPathto the release.exe. - Documented the fix in
ChangeLog.mdunder “Upcoming Release”.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| scripts/buildExe.js | Adds signature-stripping logic and wires it into the Windows SEA build sequence prior to rcedit and postject. |
| ChangeLog.md | Notes the Windows SEA .exe corruption fix for the upcoming release notes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+142
to
+146
| const bytes = fs.readFileSync(binaryPath); | ||
| const peOffset = bytes.readUInt32LE(0x3c); | ||
| const optionalHeaderStart = peOffset + 24; | ||
| const optionalHeaderMagic = bytes.readUInt16LE(optionalHeaderStart); | ||
|
|
Comment on lines
+164
to
+169
| if (certTableSize > 0 && certTableFileOffset + certTableSize === bytes.length) { | ||
| fs.writeFileSync(binaryPath, bytes.subarray(0, certTableFileOffset)); | ||
| return; | ||
| } | ||
|
|
||
| fs.writeFileSync(binaryPath, bytes); |
Comment on lines
+148
to
+150
| if (peOffset + 24 > bytes.length) { | ||
| throw new Error(`Invalid PE header offset ${peOffset} for file length ${bytes.length}: ${binaryPath}`); | ||
| } |
Comment on lines
+159
to
+173
| let dataDirectoryStart; | ||
| if (optionalHeaderMagic === 0x10b) { | ||
| dataDirectoryStart = optionalHeaderStart + 96; | ||
| } else if (optionalHeaderMagic === 0x20b) { | ||
| dataDirectoryStart = optionalHeaderStart + 112; | ||
| } else { | ||
| throw new Error(`Unsupported PE optional header magic: 0x${optionalHeaderMagic.toString(16)}`); | ||
| } | ||
|
|
||
| const securityDirectoryEntry = dataDirectoryStart + 8 * 4; | ||
| if (securityDirectoryEntry + 8 > bytes.length) { | ||
| throw new Error( | ||
| `PE security directory entry is out of range: offset=${securityDirectoryEntry}, fileLength=${bytes.length}` | ||
| ); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request addresses a critical issue with building Windows SEA executables by ensuring that any existing Authenticode signature is stripped from the copied Node.js binary before injecting the SEA blob. This prevents the production of corrupted or invalid
.exefiles during the build process.Windows SEA Executable Build Fixes:
removeAuthenticodeSignaturefunction inscripts/buildExe.jsto programmatically remove any Authenticode signature from the Node.js binary before further modification.scripts/buildExe.jsto invokeremoveAuthenticodeSignatureafter copying the Node.js binary, ensuring the executable is in a clean state before resource injection.Documentation:
ChangeLog.mddescribing the fix for corrupted/bad Windows SEA.exebuilds by stripping the Authenticode signature before injecting the SEA blob.