From 9266a1d471d2a13fca6a04b030a30aec015171f5 Mon Sep 17 00:00:00 2001
From: Zac Gaetano <Zgaetano@wilddragon.net>
Date: Sat, 23 May 2026 16:17:31 -0400
Subject: [PATCH] fix(premiere-plugin): correct zxp-sign-cmd version + promise
 API; commit generated signing cert
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The initial pass referenced zxp-sign-cmd@0.2.2 which never shipped (latest
is 2.0.0) and used the v1.x callback API. v2 is promise-based — rewrote
build-zxp.mjs accordingly.

Also commits the freshly-generated self-signed cert + passphrase from the
first local build run. From now on every build reuses these so Adobe's
ZXP signature-continuity rule is satisfied across versions.

Verified end-to-end: `npm install && node build-zxp.mjs` produces
dist/dragonflight-premiere-panel-1.0.0.zxp (34.7 KB), signature verifies,
cert valid until 2051.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 services/premiere-plugin/build/build-zxp.mjs  |  54 ++++++++----------
 services/premiere-plugin/build/cert/README.md |  16 ++----
 .../build/cert/cert-passphrase.txt            |   1 +
 .../build/cert/dragonflight-selfsigned.p12    | Bin 0 -> 1557 bytes
 .../premiere-plugin/build/package-lock.json   |  43 ++++++++++++++
 services/premiere-plugin/build/package.json   |   2 +-
 6 files changed, 72 insertions(+), 44 deletions(-)
 create mode 100644 services/premiere-plugin/build/cert/cert-passphrase.txt
 create mode 100644 services/premiere-plugin/build/cert/dragonflight-selfsigned.p12
 create mode 100644 services/premiere-plugin/build/package-lock.json

diff --git a/services/premiere-plugin/build/build-zxp.mjs b/services/premiere-plugin/build/build-zxp.mjs
index 0ace01c..5aeba19 100644
--- a/services/premiere-plugin/build/build-zxp.mjs
+++ b/services/premiere-plugin/build/build-zxp.mjs
@@ -24,7 +24,7 @@ const PASS_FILE = join(CERT_DIR, 'cert-passphrase.txt');
 const STAGE_DIR = join(HERE, 'stage');
 const DIST_DIR = join(HERE, 'dist');
 
-// Files/dirs to exclude from the staged bundle.
+// Top-level entries to exclude from the staged bundle.
 const EXCLUDE = new Set(['build', 'install-windows.ps1', '.git', '.gitignore', 'node_modules']);
 
 function readVersion() {
@@ -34,7 +34,7 @@ function readVersion() {
   return m[1].trim();
 }
 
-function ensureCert() {
+async function ensureCert() {
   mkdirSync(CERT_DIR, { recursive: true });
   if (existsSync(CERT_FILE) && existsSync(PASS_FILE)) {
     return readFileSync(PASS_FILE, 'utf8').trim();
@@ -42,23 +42,19 @@ function ensureCert() {
   console.log('No signing cert found — generating self-signed cert (one-time)…');
   const passphrase = randomBytes(24).toString('base64url');
   writeFileSync(PASS_FILE, passphrase + '\n', { mode: 0o600 });
-  return new Promise((res, rej) => {
-    zxp.selfSignedCert({
-      country: 'US',
-      province: 'WA',
-      org: 'Wild Dragon LLC',
-      name: 'Wild Dragon LLC',
-      password: passphrase,
-      output: CERT_FILE,
-      validityDays: 365 * 25,
-    }, (err) => {
-      if (err) return rej(err);
-      console.log(`  wrote ${CERT_FILE}`);
-      console.log(`  wrote ${PASS_FILE}`);
-      console.log('  >> COMMIT both files so future builds reuse them. <<');
-      res(passphrase);
-    });
+  await zxp.selfSignedCert({
+    country: 'US',
+    province: 'WA',
+    org: 'Wild Dragon LLC',
+    name: 'Wild Dragon LLC',
+    password: passphrase,
+    output: CERT_FILE,
+    validityDays: 365 * 25,
   });
+  console.log(`  wrote ${CERT_FILE}`);
+  console.log(`  wrote ${PASS_FILE}`);
+  console.log('  >> COMMIT both files so future builds reuse them. <<');
+  return passphrase;
 }
 
 function stageBundle() {
@@ -72,23 +68,19 @@ function stageBundle() {
   }
 }
 
-function signZxp(version, passphrase) {
+async function signZxp(version, passphrase) {
   mkdirSync(DIST_DIR, { recursive: true });
   const output = join(DIST_DIR, `dragonflight-premiere-panel-${version}.zxp`);
   if (existsSync(output)) rmSync(output);
-  return new Promise((res, rej) => {
-    zxp.sign({
-      input: STAGE_DIR,
-      output,
-      cert: CERT_FILE,
-      password: passphrase,
-    }, (err) => {
-      if (err) return rej(err);
-      const bytes = statSync(output).size;
-      console.log(`Built ${output} (${(bytes / 1024).toFixed(1)} KB)`);
-      res(output);
-    });
+  await zxp.sign({
+    input: STAGE_DIR,
+    output,
+    cert: CERT_FILE,
+    password: passphrase,
   });
+  const bytes = statSync(output).size;
+  console.log(`Built ${output} (${(bytes / 1024).toFixed(1)} KB)`);
+  return output;
 }
 
 async function main() {
diff --git a/services/premiere-plugin/build/cert/README.md b/services/premiere-plugin/build/cert/README.md
index 44b959a..a547b40 100644
--- a/services/premiere-plugin/build/cert/README.md
+++ b/services/premiere-plugin/build/cert/README.md
@@ -39,15 +39,7 @@ self-signed cert (valid for 25 years). Commit the new pair. **Heads up:**
 every editor with the old `.zxp` installed must uninstall first before the
 new one will install.
 
-Manual regeneration with the Adobe-published `ZXPSignCmd` (the
-`zxp-sign-cmd` npm package wraps this):
-
-```
-npx zxp-sign-cmd selfSignedCert \
-  --country US \
-  --province WA \
-  --org "Wild Dragon LLC" \
-  --name "Wild Dragon LLC" \
-  --password "$(cat cert-passphrase.txt)" \
-  --output dragonflight-selfsigned.p12
-```
+The build script handles regeneration automatically — just delete both
+files and re-run `node build-zxp.mjs`. If you need to invoke Adobe's
+`ZXPSignCmd` directly (e.g. to inspect the generated cert), it ships inside
+`node_modules/zxp-provider/bin/<version>/` after `npm install`.
diff --git a/services/premiere-plugin/build/cert/cert-passphrase.txt b/services/premiere-plugin/build/cert/cert-passphrase.txt
new file mode 100644
index 0000000..ba60311
--- /dev/null
+++ b/services/premiere-plugin/build/cert/cert-passphrase.txt
@@ -0,0 +1 @@
+k_rdrajiNn_qQcW2Oc9Z2Kc0rG4AP8vA
diff --git a/services/premiere-plugin/build/cert/dragonflight-selfsigned.p12 b/services/premiere-plugin/build/cert/dragonflight-selfsigned.p12
new file mode 100644
index 0000000000000000000000000000000000000000..6ec300193f824e71d98f5922835bc362e1b0d2b9
GIT binary patch
literal 1557
zcmY+?do<Gx7zgm}hc&lh?zd)5r*dl~lv+}Rb<sIXjiNS=%d27vn<dS)+^@L}kqR^3
z<&r}fUd-HYg$Q$*a+zC7y}aw3_kDZcKc4fP^ZlOZ`RjwGLF53i2%0AL4kE4-VH2?>
z4c-IJqlvYP(!^SXaU+@rH2kU{c{HG07%>1aNVp1rHDI&`MB?ucQeX%gCJM###Noeh
z?Dhiy6cj=O0(B*-_+hA7rB&5->*E*Uoq{DTDC&SjhS|f;EA)|JR?z8LOi=+`dFUXo
zo?;rDu<WTfZDJp<v+S0Z!Li%0GT=oH=y#3WAm=rAU0C$c3*%mfdv6?TPTQV;XL4{~
zQQ#PFLE8@GK8WM;q2~JrhX`=}>X#?DO8C{milab9jmhz+bm^E@ctwBwhhSypz)6=m
zs=QMJeoo$efK{;c)xu_R-hdpJ(2l(RjX!&${IgS(KB%%@N_UCqS{h{i2S+uVlxnf%
z8{4n7xI8vqB<F&b^)}4KnH0mN26Qd+XD>uXW>qE@ygNUv$akli=J^5yyjAH)Y=lYk
z?Go|S`}aCgL=uNdJ@Y<Qo+G)l6hi!SC9O{bziwUkQFM13Igk0ycX1-gs1g@2Onks0
zTWj?YHI32!1(I@!PQ!Db70BTq`QymPkhhaY6_wLeM;O(uW&1I>&)n2;^Nm-6=QahJ
zzQ1Au%d+4`XOJ>ptCelawc2rL(v*49P$%K~2EkKP>R3$F>sKFxuDb3`;-@iQFs}5_
z5o<jO3U07Nj=;<{yI1vDI(|Wvn}pzw3CQgysM#Z)F_vbUYmZJT;&cknubh`o%}q+t
z@lct{v<M`w`Xg|6dG-lwoF5F^1JTvNcvf?L(fjmT(8Um$ldrxT<QwyuWVfLF<nB3a
zKbQRVxB~)tzs9Lexr+Ck3$UiLs*1H1yz(#hDhRT<z%z`EA1KBB<bYyLL&A7RyJ@Hx
zuoK=*tEPDOTHT<uPDIJ#ngbXI#SJwCa@cn&rfK)e-N$>!7Q^(MBZ~EI5(^tSnlExP
z-Mp(DW(vT~VdD%T)NlWRDkS_#lm^TR<7wecKqUWRD**<C<qKh$|3A$lKQ%8P{iLrq
z6qx<gEIbckw{)(-jGhLhvT=+K`l9VlxXgYS=)-cib1D5Bxm`ecuJOg6v_Y#HP_9ax
z@SR`Dovcj`K_RqHE*O^Zr6wk6GN<Hq;W1Q%G?!S6;rPPY7`7a{c+A5*z!B49@S|*%
zF!elhS8dcEP;oBa!ZzjZuF7nEm5Kjil|m;e7+=*0Ja96muO}y_Ow^~goJ%n~MYfw+
zu}MoyitNd;XhlFt1!pKyqc6SYdBz{vk1nK+np1JfXdiC^ImK)_@T-H4Wpb<R0aaM?
z>j<XxBGt$)(d{zP>!CBe(mpL5V&D=+?~6UW$4jY=<=U<0l*4rG^bzs3f1{EIM18ok
z=6vg*>y!sm-Not7VRfpaqlIpnvTY{Cpr0Ma$Us&+sC{2JR;?-#u&h0~zTTV3N0A6g
zCgst^Y60F4FN$ZgP~C<d9R2kdZtkr3tv4Eldzqfl^K*vAxU&tzb+B`)nlkj5t8Jxu
z77voxuk@pv{7w9fmt?EY37kHM(m?L5wVJfV-a0ev>W6OBk^6sEKXK~Gc`dfowB1*v
z-<Zwxqe3<n)a_-9d@gDEUy`OS3)UIT#B2SR-|8SLRc+p=0#dp=dlNDmA;^{@!DKFR
zU!HtBS!!+b==|A7&zkOKpBap@QP;K{u?Lk5MBZTXhD0(#bIiMtzP8;68>3wB2<dQo
ze&U$g&Teh_7t--`Y$h!-aO&3HoCPh@b%WCz3xh^KR`4|yo1<4KvSCpI@3u+BI9NxO
z<9A7f?Tm6wXkf}%Jx8x5&eAxY*!hedkRJKl&h*)HrkL8^0*}y@Yr%=@3L#y|Sp?qW
zHQhq&ZtRHM=}(1&4#N}bxiA^S{b<y`s>Kxzl|&Vm$a9y|he&V3F=KjlcZY^@k3J1W
z8={eDafp~MOaxF91Bogm`%Z!+u_{*Gx9!B@I&kB%)npY>XncyIpsfwc`>FdcG^p6;

literal 0
HcmV?d00001

diff --git a/services/premiere-plugin/build/package-lock.json b/services/premiere-plugin/build/package-lock.json
new file mode 100644
index 0000000..5946914
--- /dev/null
+++ b/services/premiere-plugin/build/package-lock.json
@@ -0,0 +1,43 @@
+{
+  "name": "dragonflight-premiere-panel-build",
+  "version": "0.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "dragonflight-premiere-panel-build",
+      "version": "0.0.0",
+      "devDependencies": {
+        "zxp-sign-cmd": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/zxp-provider": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/zxp-provider/-/zxp-provider-2.0.0.tgz",
+      "integrity": "sha512-ja2YZwDnDrTdq5Q0EebOaHQK5f4tOf5488mKV4sVC/mKyNiXHyJlyKwLWB4SGIrvqqWWkDk/QCfsWms2jTQ/Tw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/zxp-sign-cmd": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/zxp-sign-cmd/-/zxp-sign-cmd-2.0.0.tgz",
+      "integrity": "sha512-BzWNvp6kSL4RFmxWp8MkVtJ4NIuRq1238W0ojHWLgeAqWMaptFdY8Nh2Uguf7Fka8KyIinrf0+tTgCeGlWPMoA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "zxp-provider": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0",
+        "npm": ">=6.0.0"
+      }
+    }
+  }
+}
diff --git a/services/premiere-plugin/build/package.json b/services/premiere-plugin/build/package.json
index 2943b47..579ef1e 100644
--- a/services/premiere-plugin/build/package.json
+++ b/services/premiere-plugin/build/package.json
@@ -10,7 +10,7 @@
     "build": "pwsh -NoProfile -ExecutionPolicy Bypass -File build-all.ps1"
   },
   "devDependencies": {
-    "zxp-sign-cmd": "^0.2.2"
+    "zxp-sign-cmd": "^2.0.0"
   },
   "engines": {
     "node": ">=18"