Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Builld windows build on osx using an EV code signing certificate

See original GitHub issue

Version: 11.4.4
Target: mac, windows

I’m trying to build both a mac and windows version of an app on a computer running macOS and I want to sign them using an EV code signing certificate. These kind of certificates don’t allow the export to .p12 or .pfx.

When signing the mac build, the builder finds the installed certificate and uses this to sign the build. For the windows build however you need to specify a .p12 or .pfx file. It would be nice if electron-builder could also use the installed EV certificate to sign the windows build.

When using signtool on windows you can specify to automatically search for the correct certificate using the /a param.

signtool sign /a /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 "path\to\installer.exe"

I don’t think that mono signcode supports this /a parameter, but I maybe there is another way to accomplish this automatic certificate detection?

Issue Analytics

State:
Created 7 years ago
Comments:64 (10 by maintainers)

Top GitHub Comments

6reactions

antellecommented, Jul 4, 2017

Hi everyone! As now Microsoft requires to store private keys on smart cards, this will affect more people soon. I’ve managed to sign windows executables with osslsigncode on mac with its private key stored on a smart card. Here’s how:

install openssl, opensc and engine_pkcs11 from brew
build osslsigncode from master, here’s the patch we need, I don’t know why the latest release is not updated (I’ve opened an issue but the author doesn’t care)
call it with args:
- pkcs11engine=/usr/local/lib/engines/engine_pkcs11.so
- pkcs11module=/usr/local/lib/opensc-pkcs11.so
- key= your key slot, e.g. 01
- -askpass or -pass= your pin code
- …other args as in usual sign
❗️ run osslsigncode verify after sign: there’s no validation by default: exe might be broken

This is working perfectly for me here: https://github.com/keeweb/keeweb/blob/develop/grunt/tasks/grunt-sign-exe.js If anyone is interested in token model which is working on both Mac and Windows, for me it’s PIVKey T800. ACS tokens will not work on mac, or I haven’t managed to make it work.

4reactions

menelikecommented, Dec 13, 2019

I am finally able to sign my Windows binaries. As already mentioned the latest authentication client for mac Catalina is not available to the public. I asked my vendor (GlobalSign) if they could me provide that application and luckily they did! I am afraid that I can not upload the SafeNet client anywhere due to licencing issues, but you should ask your vendor as well.

This is our working setup (we don’t use the CLI):

macOS 10.15.1 (19B88)
SafeNet Client 10.2.97.0
SafeNet eToken 5110 FIPS

build configuration:

  const buildConfig = {
    win: {
      target: [
        {
          target: 'nsis',
          arch: ['ia32', 'x64'],
        },
      ],
      publisherName: 'MY ISSUED TO NAME',
      sign: (configuration: CustomWindowsSignTaskConfiguration): void =>
        signWin(configuration, tokenAlias, tokenPassword),
    }
  };

hardwareToken.cfg:

name = HardwareToken
library = /Library/Frameworks/eToken.framework/Versions/A/libeToken.dylib
slotListIndex = 0

signing:

/*
use the following command to determine the alias:
keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg hardwareToken.cfg
source: https://support.globalsign.com/customer/en/portal/articles/2722672-code-signing-in-java-token-based- for more information
*/
import { execSync } from 'child_process';
import * as path from 'path';

import { CustomWindowsSignTaskConfiguration } from 'app-builder-lib/out/codeSign/windowsCodeSign';

const jsign = path.join(__dirname, 'jsign-2.1.jar');
const keystore = path.join(__dirname, 'hardwareToken.cfg');

export default (
  configuration: CustomWindowsSignTaskConfiguration,
  alias: string,
  storepass: string
): void => {
  const { hash } = configuration;

  if (!alias) throw Error('missing argument alias');
  if (!storepass) throw Error('missing argument storepass');

  // ev token only supports SHA-256
  if (hash === 'sha1') return;
  if (hash !== 'sha256') throw Error(`unknown hashing algorithm: ${hash}`);

  console.log(`signing (${hash}): ${configuration.path}`);

  const cmd = [
    'java',
    `-jar ${jsign}`,
    `--keystore ${keystore}`,
    '--storetype PKCS11',
    '--tsaurl http://timestamp.digicert.com',
    '--alg SHA-256',
    `--alias "${alias}"`,
    `--storepass "${storepass}"`,
    `"${configuration.path}"`,
  ];

  execSync(cmd.join(' '), {
    stdio: 'inherit',
  });
};

Hopefully, this will help others.

Depending on our your token you might need a different solution for the arg --alg SHA-256