Skip to content

Race condition when signing multiple files concurrently using Azure Trusted Signing #9076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gusaaaaa opened this issue May 1, 2025 · 1 comment
Open

Race condition when signing multiple files concurrently using Azure Trusted Signing #9076

gusaaaaa opened this issue May 1, 2025 · 1 comment

Comments

@gusaaaaa
Copy link

gusaaaaa commented May 1, 2025

Hi there. I’m trying to use Azure Trusted Signing with electron-builder@26.0.13. I appreciate the recent efforts to support ATS, but I’m still facing a reproducible issue during the signing phase.

What I'm doing

I’m building an Electron app that bundles multiple executables and DLLs (e.g. a full Python distribution inside resources/python-run/). I sign my app using Invoke-TrustedSigning via the electron-builder Azure integration.

Setup

  • electron-builder version: 26.0.13
  • Signing via Invoke-TrustedSigning
  • Running the build from my local Windows machine
  • App includes multiple binaries to be signed

Problem

When electron-builder attempts to sign several files concurrently, it invokes PowerShell commands that each try to initialize or install the Trusted Signing toolchain. This leads to access conflicts like:

Install-Package : Package 'Microsoft.Trusted.Signing.Client' failed to be installed because:
The process cannot access the file '...Azure.CodeSigning.Dlib.dll' because it is being used by another process.

Install-Package : Package 'Microsoft.Windows.SDK.BuildTools' failed to be installed because:
The process cannot access the file '...BuildTools.10.0.22621.3233.nupkg' because it is being used by another process.

These exceptions suggest a concurrency issue in how the Trusted Signing environment is set up per file to be signed.

Additional confirmation

When I run the build a second time, the errors change. It now proceeds further into signing, but still fails with:

Start-Process : This command cannot be run due to the error: The system cannot find the file specified.
...
Wait-Process : Cannot bind argument to parameter 'InputObject' because it is null.
...
SignTool failed with exit code 3

Yet the target file is present:

C:\Users\...\dist\win-arm64-unpacked\resources\python-run\pythonw.exe

🔍 Note: I confirmed that the listed file (pythonw.exe) exists at the specified path. This indicates the failure is not caused by a missing input file but by the signing toolchain being in an inconsistent state, likely due to race conditions or locking issues.

Question for the community

Has anyone else experienced this issue when signing multiple binaries with Azure Trusted Signing using electron-builder?

I'm wondering if:

  • There's something I'm missing in my setup
  • Or if this is a known limitation with concurrent signing and tool initialization

Any workaround or advice would be appreciated.

Thanks in advance!
@mmaietta
Copy link
Collaborator

mmaietta commented May 1, 2025
edited
Loading

This is a known issue with concurrent ATS signing (which is why this is still labeled as a "beta" feature), however, I have no way to debug locally as I don't have an ATS account (no free license for open-source CI usage).

Can you try adding DEBUG=electron-builder? As maybe we can determine an order-of-events of what logic is being executed internally

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gusaaaaa @mmaietta