From d1e15e766c27005e7ec97319e6242b7d5993a235 Mon Sep 17 00:00:00 2001 From: Erik Date: Fri, 10 Apr 2026 15:38:12 -0300 Subject: [PATCH] fix: trim publisherName to prevent Windows auto-update signature mismatch The AZURE_TRUSTED_SIGNING_PUBLISHER_NAME secret contains a trailing space that propagates into app-update.yml. electron-updater does a strict === comparison between this value and the certificate CN, so "T3 Tools Inc " !== "T3 Tools Inc" causes updates to be rejected with "not signed by the application owner". Add .trim() via Config.map to strip whitespace as defense-in-depth. --- scripts/build-desktop-artifact.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/build-desktop-artifact.ts b/scripts/build-desktop-artifact.ts index dfeb797b33..dacdec7690 100644 --- a/scripts/build-desktop-artifact.ts +++ b/scripts/build-desktop-artifact.ts @@ -186,7 +186,9 @@ interface StagePackageJson { } const AzureTrustedSigningOptionsConfig = Config.all({ - publisherName: Config.string("AZURE_TRUSTED_SIGNING_PUBLISHER_NAME"), + publisherName: Config.string("AZURE_TRUSTED_SIGNING_PUBLISHER_NAME").pipe( + Config.map((s) => s.trim()), + ), endpoint: Config.string("AZURE_TRUSTED_SIGNING_ENDPOINT"), certificateProfileName: Config.string("AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME"), codeSigningAccountName: Config.string("AZURE_TRUSTED_SIGNING_ACCOUNT_NAME"),