Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

EV Code Signing

See original GitHub issue

Version: 5.21.0

Target: Windows x64

Unless I’ve missed something, the current settings with CSC_LINK and CSC_KEY_PASSWORD don’t satisfy the EV Code Signing requirements. DigiCert uses this as an example:

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "subject name" "C:\path\to\fileToSign.exe"

Where subject name is the Issued To column in the Personal > Certificates list.

Here’s the full instructions: https://www.digicert.com/code-signing/ev-authenticode-certificates.htm

Do I need to go in and change the code that builds the signtool line or is there something already in electron-builder to handle this?

I do see CSC_NAME but it says it’s macOS only.

Issue Analytics

State:
Created 7 years ago
Comments:7 (2 by maintainers)

Top GitHub Comments

2reactions

dharderscommented, Aug 9, 2016

I just coded up a solution that worked for me (note: assumes your cert is in the store, subjectName is set in build.win). This is a quick proof of concept. Further work is needed for error checking etc.

Modify: node_modules\electron-builder\out\windowsCodeSign.js file starting Line 42ish in function spawnSign():

Change:

if (certExtension === ".p12" || certExtension === ".pfx") {
  args.push(isWin ? "/f" : "-pkcs12", options.cert);
  ...

To:

if (options.subjectName) {
  args.push("/n", options.subjectName);
} else if (certExtension === ".p12" || certExtension === ".pfx") {
  args.push(isWin ? "/f" : "-pkcs12", options.cert);
  ...

Also, a little further down (same function): Change if (options.password) { ... To if (!options.subjectName && options.password) { ...

node_modules\electron-builder\out\winPackager.js file starting Line 102ish in function sign(), add the subjectName option:

yield this.doSign({
  path: file,
  ...
  hash: this.platformSpecificBuildOptions.signingHashAlgorithms,
  subjectName: this.platformSpecificBuildOptions.subjectName
});
...

And finally, add subjectName to your package.json:

"win": {
  "target": "nsis",
  "certificateFile": "./resources/cert.pfx",  // required to force codesign (use dummy value))
  "subjectName": "Your Subject Name",
  ...
}

Note for this proof of concept, a dummy certificateFile must be specified to kickstart codesign (the file doesn’t have to exist)

I actually prefer this way (of using /n) as no passwords are needed etc if the cert is in the store already.

0reactions

develarcommented, Aug 9, 2016

Duplicates #590

Top Results From Across the Web

What is EV Code Signing & How It Works | DigiCert

Extended Validation Code Signing Certificates are used by software developers to digitally sign apps, drivers, and software programs as a way for end-users ......

Extended Validation (EV) Code Signing Certificates - GlobalSign

Strict vetting process - Applicants for EV Code Signing certificates go through a more rigorous application process than regular code signing certificates.

Code Signing Certificates - EV SSL & More | Sectigo® Official

EV Code Signing certificates include all the benefits of regular code signing and introduce essential features to increase security and improve customer trust....

How Does EV Code Signing Work? - Comodo SSL

An EV Code Signing Certificate ensure that your app or software code is authenticated through a strict validation process. Learn how EV Code...

EV Code Signing Certificate Vs. Regular Code Signing

EV Code Signing, short for Extended Validation Code Signing certificate, entails extensive vetting of the publisher. Additionally, in EV ...