Following changes to the internation recommandations regarding code
signing certificates issuance and storage, DigiCert does not allow
simply downloading a certificate and use it to sign binaries.
Instead, we need to store it in a HSM or, as we chose, in a
cloud-based HSM such as DigiCert Keylocker.
This means we need to install tools to fetch the certificate from the
HSM prior to signing our software and also use a custom signing script
as electron-builder does not support Keylocker out of the box.
The process is split into 3 phases:
download the DigiCert client and the certificate
sign our binaries
verify the signature
Please make sure the following boxes are checked:
[x] PR is not too big
[x] it improves UX & DX in some way
[ ] it includes unit tests matching the implementation changes
[x] it includes scenarios matching a new behaviour or has been manually tested
Following changes to the internation recommandations regarding code signing certificates issuance and storage, DigiCert does not allow simply downloading a certificate and use it to sign binaries. Instead, we need to store it in a HSM or, as we chose, in a cloud-based HSM such as DigiCert Keylocker.
This means we need to install tools to fetch the certificate from the HSM prior to signing our software and also use a custom signing script as
electron-builderdoes not support Keylocker out of the box.The process is split into 3 phases:
Please make sure the following boxes are checked: