fix: add code signing certificate details for Windows build

[flotwig]

Fixes #2543

User facing changelog

• On Windows, the Cypress executable is now code signed by "Cypress.io, Inc.".
  • This fixes spawn UNKNOWN errors when launching Cypress with code signing required by policy on Windows.

Additional details

How has the user experience changed?

This won't happen: #2543 (comment)

exe will appear as signed: #16946 (comment)

PR Tasks

• [na] Have tests been added/updated?
• Has the original issue or this PR been tagged with a release in ZenHub?
• [na] Has a PR for user-facing changes been opened in cypress-documentation?
• [na] Have API changes been updated in the type definitions?
• [na] Have new configuration options been added to the cypress.schema.json?

[cypress-bot]

Thanks for taking the time to open a PR!

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.
• Become familiar with the Code Review Checklist for guidelines on coding standards and what needs to be done before a PR can be merged.

[cypress]

---

Test summary

4078 • 0 • 53 • 1 • 0

---

Run details

Project	cypress
Status	Passed
Commit	10d7db5
Started	Jun 15, 2021 7:53 PM
Ended	Jun 15, 2021 8:03 PM
Duration	10:20 💡
OS	Linux Debian - 10.8
Browser	Firefox 88

View run in Cypress Dashboard ➡️

---

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

[flotwig]

Seems to be working properly:

[minijus]

I have noticed that there are more executables in Cypress directory.

When launching Cypress with cypress run --spec option it tries to spawn ffmpeg.exe. Is it possible to sign all required executables?

[flotwig]

Is it possible to sign all required executables?

Huh, I actually assumed the version of ffmpeg we ship is signed by the ffmpeg developers, but upon inspection it is not. I think electron-builder is supposed to sign all .exes, but for some reason, it is not working. @minijus any ideas? I am not sure I will have time to investigate this this week.

[bahmutov]

Is the ffmpeg explicitly listed under binaries to sign on mac? I remember adding all such binaries to be signed

…

Sent from my iPhone

On Jun 16, 2021, at 11:38, Zach Bloomquist ***@***.***> wrote:  Is it possible to sign all required executables? Huh, I actually assumed the version of ffmpeg we ship is signed by the ffmpeg developers, but upon inspection it is not. I think electron-builder is supposed to sign all .exes, but for some reason, it is not working. @minijus any ideas? I am not sure I will have time to investigate this this week. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[flotwig]

mac.binaries looks like it's only for Mac: https://www.electron.build/configuration/mac

cypress/electron-builder.json

Lines 13 to 22 in 41be558

	"binaries": [
	"./build/mac/Cypress.app/Contents/Resources/app/packages/server/node_modules/@ffmpeg-installer/darwin-x64/ffmpeg",
	"./build/mac/Cypress.app/Contents/Resources/app/packages/server/node_modules/watchpack-chokidar2/node_modules/fsevents/build/Release/.node",
	"./build/mac/Cypress.app/Contents/Resources/app/packages/server/node_modules/watchpack-chokidar2/node_modules/fsevents/build/Release/fse.node",
	"./build/mac/Cypress.app/Contents/Resources/app/packages/server/node_modules/registry-js/build/Release/registry.node",
	"./build/mac/Cypress.app/Contents/Resources/app/packages/server/node_modules/term-size/vendor/macos/term-size",
	"./build/mac/Cypress.app/Contents/Resources/app/packages/server/node_modules/trash/lib/macos-trash",
	"./build/mac/Cypress.app/Contents/Resources/app/packages/server/node_modules/fsevents/fsevents.node",
	"./build/mac/Cypress.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler"
	]

I'm only assuming that electron-builder is supposed to sign all exes based off of conversations like this that imply that it does: electron-userland/electron-builder#5256 Having trouble finding documentation on this point.

E: maybe something could be added in the after-sign-hook?

[bahmutov]

Welcome to the core signing jungle

…

Sent from my iPhone

On Jun 16, 2021, at 11:43, Zach Bloomquist ***@***.***> wrote:  mac.binaries looks like it's only for Mac: https://www.electron.build/configuration/mac https://github.com/cypress-io/cypress/blob/41be55820acb7d4c2eeb610a95507f245a497ac3/electron-builder.json#L13-L22 I'm only assuming that electron-builder is supposed to sign all exes based off of conversations like this that imply that it does: electron-userland/electron-builder#5256 Having trouble finding documentation on this point. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[flotwig]

When launching Cypress with cypress run --spec option it tries to spawn ffmpeg.exe. Is it possible to sign all required executables?

@minijus in the interest of getting some benefit out to users, we can go ahead and merge this as-is to get signed Cypress.exes out in 7.6.0. The way I see it, there's 2 groups here that would be affected by this PR:

1. Folks who run cypress open locally with code signing required and test in CI (majority of users) - a signed ffmpeg.exe is not needed for this, only Cypress.exe
2. Folks who run cypress run --video true either locally or in CI with code signing required (fewer users) - a signed ffmpeg.exe is required for these users to record video.

Issue tracking the unsigned ffmpeg.exe: #17033

I'm curious, does your CI pipeline run in Windows with code signing required?

[minijus]

Thank you @flotwig !

Having Cypress.exe signed is already nice step forward. As you've summed up it will allow to run cypress open which unlocks possibility to conveniently run and develop tests in restricted Windows environment.

We do not run CI on Windows, but it would be great to have possibility to launch headless run locally as well.

[flotwig]

Great to hear. In that case, we will likely not prioritize part (2) for now, until we know someone is affected by it.