doc: add steps about signing the binary in single-executable docs

RaisinTen · targos · commit 48cf9845fe3a · 2023-03-14T07:53:33.000+01:00
We didn't catch this in #45038 because the binary wasn't signed by default unlike the official Node.js binary, which is signed by the Node.js Foundation identity by default. Refs: nodejs/postject#76 (macOS arm64 part only) Fixes: nodejs/postject#75 Signed-off-by: Darshan Sen <raisinten@gmail.com> PR-URL: #46764 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/doc/api/single-executable-applications.md b/doc/api/single-executable-applications.md
@@ -33,7 +33,24 @@ tool, [postject][]:
    $ cp $(command -v node) hello
    ```
 
-3. Inject the JavaScript file into the copied binary by running `postject` with
+3. Remove the signature of the binary:
+
+   * On macOS:
+
+   ```console
+   $ codesign --remove-signature hello
+   ```
+
+   * On Windows (optional):
+
+   [signtool][] can be used from the installed [Windows SDK][]. If this step is
+   skipped, ignore any signature-related warning from postject.
+
+   ```console
+   $ signtool remove /s hello
+   ```
+
+4. Inject the JavaScript file into the copied binary by running `postject` with
    the following options:
 
    * `hello` - The name of the copy of the `node` executable created in step 2.
@@ -61,7 +78,24 @@ tool, [postject][]:
          --macho-segment-name NODE_JS
      ```
 
-4. Run the binary:
+5. Sign the binary:
+
+   * On macOS:
+
+   ```console
+   $ codesign --sign - hello
+   ```
+
+   * On Windows (optional):
+
+   A certificate needs to be present for this to work. However, the unsigned
+   binary would still be runnable.
+
+   ```console
+   $ signtool sign /fd SHA256 hello
+   ```
+
+6. Run the binary:
    ```console
    $ ./hello world
    Hello, world!
@@ -132,9 +166,11 @@ to help us document them.
 [ELF]: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
 [Mach-O]: https://en.wikipedia.org/wiki/Mach-O
 [PE]: https://en.wikipedia.org/wiki/Portable_Executable
+[Windows SDK]: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/
 [`process.execPath`]: process.md#processexecpath
 [`require()`]: modules.md#requireid
 [`require.main`]: modules.md#accessing-the-main-module
 [fuse]: https://www.electronjs.org/docs/latest/tutorial/fuses
 [postject]: https://github.com/nodejs/postject
+[signtool]: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
 [single executable applications]: https://github.com/nodejs/single-executable
