From 943ab80afd08c8e518429570f466fb17428e8c77 Mon Sep 17 00:00:00 2001
From: Giacomo Cusinato <7659518+giacomocusinato@users.noreply.github.com>
Date: Thu, 7 Nov 2024 16:50:05 +0200
Subject: [PATCH] fix: disable local windows signing for forks PR

Resolves https://github.com/arduino/arduino-ide/issues/2545
---
 .github/workflows/build.yml               | 2 ++
 electron-app/scripts/windowsCustomSign.js | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 865c0562e..f35d97f16 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -286,6 +286,8 @@ jobs:
       SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
       WIN_CERT_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
       WIN_CERT_CONTAINER_NAME: ${{ secrets.INSTALLER_CERT_WINDOWS_CONTAINER }}
+      WIN_SIGNING_ENABLED: ${{ !github.event.pull_request.head.repo.fork }}
+
     strategy:
       matrix:
         config: ${{ fromJson(needs.select-targets.outputs.build-matrix) }}
diff --git a/electron-app/scripts/windowsCustomSign.js b/electron-app/scripts/windowsCustomSign.js
index 29fbc5fad..41fc6d3b2 100644
--- a/electron-app/scripts/windowsCustomSign.js
+++ b/electron-app/scripts/windowsCustomSign.js
@@ -1,7 +1,10 @@
 const childProcess = require('child_process');
 
 exports.default = async function (configuration) {
-  if (!process.env.GITHUB_ACTIONS) {
+  if (
+    !process.env.GITHUB_ACTIONS ||
+    process.env.WIN_SIGNING_ENABLED !== 'true'
+  ) {
     return;
   }