feat: support skipping SHA1 signing

[mceachen]

Howdy! Thanks for this package!

Codesigning for my project is quite slow due to the number of .DLLs I need to include. It seems that SHA1 signatures are ignored ever since WIndows 7, and SHA256 is recommended by Microsoft.

Have you considered allowing consumers skip SHA1 signatures?

This patch allows an optional hash to be specified in the options array. It halves my signing time (which takes upwards of 10 minutes otherwise).

Feel free to tweak to taste. I tried to maintain consistency with existing code.

(BTW, if you switched your descriptive comments in your interfaces to jsdoc (use /** message */ instead of // message) your consumers get to see those comments inline).

[mceachen]

Do you want me to add this param to the CLI tool, too?

[felixrieseberg]

Thank you, super supportive of the change! I don't think we need a CLI option, the option itself is good enough for me.

I'd only prefer to keep the type the same but otherwise this can go out!

[mceachen]

keep the type the same

So you'd rather use hash: string rather than hashes: string[]?

[mceachen]

Friendly bump: what needs to be changed here to get the PR merged?

[mceachen]

@MarshallOfSound anything I can do here to get this merged?

[ToshB]

I am eagerly awaiting merging of this pull request. After updating electron-forge I'm unable to sign my MSIs, which apparently doesn't support multiple signatures. This change will let me work around my problem.

[zkrige]

Please can someone accept and merge this PR - im stuck unable to sign MSI's because of this

[AndreyApalkov]

Please can someone accept and merge this PR

[BlackHole1]

keep the type the same

So you'd rather use hash: string rather than hashes: string[]?

Hey @mceachen. Thank you for your PR!

I think what @felixrieseberg is trying to express is: just remove Omit<>.

In the windows-sign code, hash and hashes represent different meanings.

• hash: Used to inform the getSigntoolArgs function what parameters should be passed to sign, see:

  windows-sign/src/sign-with-signtool.ts

  Lines 25 to 30 in 1f91573

  	// Timestamp
  	if (hash === HASHES.sha256) {
  	args.push('/tr', timestampServer);
  	args.push('/td', hash);
  	} else {
  	args.push('/t', timestampServer);

• hashes: Allows developers to choose which hashes they want to use.

Therefore, there is no either-or question, as one is aimed at developers and the other is focused on internal code logic; both are indispensable :)

[mceachen]

just remove Omit<>.

Done! I also merged with upstream main and resolved conflicts. @felixrieseberg @MarshallOfSound if there's anything else I need to do to get this merged, please holler.

[BlackHole1]

LGTM. PTAL @felixrieseberg

[felixrieseberg]

LGTM, merging!

[continuous-auth]

🎉 This PR is included in version 1.2.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[nikwen]

This PR just saved me a ton of work. Thank you, @mceachen!