doc: add steps about signing the binary in single-executable docs

We didn't catch this in nodejs#45038 because the binary wasn't signed by default unlike the official Node.js binary, which is signed by the Node.js Foundation identity by default. Refs: nodejs/postject#76 (macOS arm64 part only) Fixes: nodejs/postject#75 Signed-off-by: Darshan Sen <[email protected]>
RaisinTen · Feb 22, 2023 · ce1284b · ce1284b
1 parent fda0de4
commit ce1284b
Showing 1 changed file with 30 additions and 2 deletions.
diff --git a/doc/api/single-executable-applications.md b/doc/api/single-executable-applications.md
@@ -33,7 +33,21 @@ tool, [postject][]:
    $ cp $(command -v node) hello
    ```
 
-3. Inject the JavaScript file into the copied binary by running `postject` with
+3. Remove the signature of the binary:
+
+   * On macOS:
+
+   ```console
+   $ codesign --remove-signature hello
+   ```
+
+   * On Windows:
+
+   ```console
+   $ signtool remove /s hello
+   ```
+
+4. Inject the JavaScript file into the copied binary by running `postject` with
    the following options:
 
    * `hello` - The name of the copy of the `node` executable created in step 2.
@@ -61,7 +75,21 @@ tool, [postject][]:
          --macho-segment-name NODE_JS
      ```
 
-4. Run the binary:
+5. Sign the binary:
+
+   * On macOS:
+
+   ```console
+   $ codesign --sign - hello
+   ```
+
+   * On Windows:
+
+   ```console
+   $ signtool sign /fd SHA256 hello
+   ```
+
+6. Run the binary:
    ```console
    $ ./hello world
    Hello, world!