Using electron-builder for signing and publishing Windows app (with auto-update) by using EV dongle
See original GitHub issueVersion: 22.3.2 Electron Version: 8.0.3 Target: Windows
I want to ask about electron app signing process for Windows build on Ubuntu with electron-builder. I’m using EV certificate from digicert token. I’m following the steps described here: https://www.electron.build/tutorials/code-signing-windows-apps-on-unix and I’m able to sign the app by running this command:
osslsigncode sign -verbose -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pkcs11module /lib/libeToken.so -h sha256 -n app-name -t https://timestamp.verisign.com/scripts/timestamp.dll -certs /link/to/cert.pem -key 'key-id-here' -pass 'password' -in /link/to/app.exe -out /link/to/app.signed.exe
But I want to integrate this with electron-builder by using custom signing script.
...
"win": {
"target": "nsis",
"sign": "./sign.js"
},
...
I know that electron-builder also generates .blockmap and .yml files which are required by electron-updater to handle the update process. I’ve noticed that sign.js script is called 8 times during building process, my question here is can I use osslisgncode tool in this custom sign.js script triggered by electron-bulider? If yes, there should be a possibility to pass the file name to sign.js scirpt to dynamically fill signing command ? My other question here is that possible to use custom signing script in electron-builder together with – p always option to also generate .blockmap and .yml files to handle auto-update for signed application.
Issue Analytics
- State:
- Created 3 years ago
- Comments:8
Top GitHub Comments
First of all, what you want demands some tinkering, and is not novice developer activity.
Below are my steps you need to also undertake.
Flow:
node -> npm run -> package.json -> electron-builder build -> script windows-sign.js -> java jsign -> output signed exe
Setup:
java
locally, and includedjsign-3.1.jar
in my project root.jsign
to be setup to identify your dongle, so create a hardwareToken.cfg file as--keystore
. More info here.win
add"sign": "scripts/windows-sign.js"
(above file), see here.Run
npm run package
it runselectron-builder build --publish always --win
underscripts
.windows-sign.js
is called automaticly when the exe is finished building (see setup step 3) and signs the exe using your EV dongle.@PatricNox Signing the installer doen’t sign the binaries inside it, you have to sign each executable separately.