Builld windows build on osx using an EV code signing certificate
See original GitHub issue-
Version: 11.4.4
-
Target: mac, windows
I’m trying to build both a mac and windows version of an app on a computer running macOS and I want to sign them using an EV code signing certificate. These kind of certificates don’t allow the export to .p12
or .pfx
.
When signing the mac build, the builder finds the installed certificate and uses this to sign the build.
For the windows build however you need to specify a .p12
or .pfx
file. It would be nice if electron-builder could also use the installed EV certificate to sign the windows build.
When using signtool
on windows you can specify to automatically search for the correct certificate using the /a
param.
signtool sign /a /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 "path\to\installer.exe"
I don’t think that mono signcode
supports this /a
parameter, but I maybe there is another way to accomplish this automatic certificate detection?
Issue Analytics
- State:
- Created 7 years ago
- Comments:64 (10 by maintainers)
Top GitHub Comments
Hi everyone! As now Microsoft requires to store private keys on smart cards, this will affect more people soon. I’ve managed to sign windows executables with
osslsigncode
on mac with its private key stored on a smart card. Here’s how:openssl
,opensc
andengine_pkcs11
from brewpkcs11engine=/usr/local/lib/engines/engine_pkcs11.so
pkcs11module=/usr/local/lib/opensc-pkcs11.so
key=
your key slot, e.g.01
-askpass
or-pass=
your pin codeosslsigncode verify
after sign: there’s no validation by default: exe might be brokenThis is working perfectly for me here: https://github.com/keeweb/keeweb/blob/develop/grunt/tasks/grunt-sign-exe.js If anyone is interested in token model which is working on both Mac and Windows, for me it’s PIVKey T800. ACS tokens will not work on mac, or I haven’t managed to make it work.
I am finally able to sign my Windows binaries. As already mentioned the latest authentication client for mac Catalina is not available to the public. I asked my vendor (GlobalSign) if they could me provide that application and luckily they did! I am afraid that I can not upload the SafeNet client anywhere due to licencing issues, but you should ask your vendor as well.
This is our working setup (we don’t use the CLI):
10.15.1 (19B88)
10.2.97.0
5110 FIPS
build configuration:
hardwareToken.cfg:
signing:
Hopefully, this will help others.
Depending on our your token you might need a different solution for the arg
--alg SHA-256
Update fixed missing publisherName
See https://github.com/electron-userland/electron-builder/issues/3667 for the reason.