Closed lukas-fichtner closed 6 years ago
Please set env DEBUG=electron-builder
and attach log of the terminal output.
https://www.electron.build/#debug
I've been using an older electron builder version for a long time now
Which one?
I tested it now on the old version too without success :(
Here is the Error Code: http://prntscr.com/k68jif (the same error on the winCodeSign version 2.1.0 and the newest electron-builder) Here is my build config: http://prntscr.com/k68k69
Or did you need something else? Thanks for any help
Are you sure that cert is not It expired?
No its not expired, look here again: https://prnt.sc/k5tq1z
I am having the same issue.
I was successfully able to built and sign two weeks ago. Came to pick up my project today and unfortunately, it's no longer working.
Same comment on the certificate expiry: it's brand new and does not expire until 2020.
So, I can't explain why, but commenting out this line https://github.com/electron-userland/electron-builder/blob/e7ff5e85eaa307294ea6c99c143c4bbad5e73e01/packages/electron-builder-lib/src/windowsCodeSign.ts#L215 fixes the issue for NSIS builds.
@richard-ive-m4 Please do not comment this line, it is critically important. Please try to set rfc3161TimeStampServer
option:
"build": {
"win": {
"rfc3161TimeStampServer": "http://timestamp.comodoca.com/rfc3161"
}
}
Does it help?
No, it doesn't work on me.
Nope, didn't work I'm afraid.
I can see that it has correctly changed the timestamp server in the debug message, but I still get "SignTool Error: The specified private key container was not found."
Can you explain why /fd is so important?
What is your windows version?
ver
Microsoft Windows [Version 10.0.17134.165]
Without /fd your app will be signed only with SHA1 — but this digest algo is compromised and deprecated.
Do you use latest electron-builder?
yes I updated electron-builder today, win10 pro version 10.0.17134
Ok... I have no clue anymore... @Xedon420 I your config I see that you use Squirrel.Windows, @richard-ive-m4 but you use NSIS, right?
Yes.
I'm running
10.0.17134.165
>npm ls electron-builder
netcourier-quick-ship@0.0.7 D:\users\richard\dev\netcourier-quick-ship
`-- electron-builder@20.22.1
"build": { "win": { "rfc3161TimeStampServer": "http://timestamp.comodoca.com/rfc3161", "target": [ { "target": "nsis", "arch": [ "x64", "ia32" ] } ],
Squirrel: http://prntscr.com/k7mlya
or do you need something else? @develar
Please try electron-builder 20.23.0 signtool updated latest win 10 sdk 10.0.17134.0 Maybe it will help.
I'm sorry didn't work out again. (the same error)
electron-builder at 20.23.0 and downloaded the winCodeSign tool to version 2.2.0
It now fails during the inital download of signtool
To ensure your native dependencies are always matched electron version, simply add script `"postinstall": "electron-builder install-app-deps" to your `package.json`
• writing effective config file=dist\builder-effective-config.yaml
• rebuilding native production dependencies platform=win32 arch=x64
• packaging platform=win32 arch=x64 electron=2.0.5 appOutDir=dist\win-unpacked
• rebuilding native production dependencies platform=win32 arch=ia32
• packaging platform=win32 arch=ia32 electron=2.0.5 appOutDir=dist\win-ia32-unpacked
• building target=nsis file=dist\NetCourier Quick Ship Setup 0.0.17.exe archs=x64, ia32 oneClick=false
• signing file=dist\win-ia32-unpacked\resources\elevate.exe certificateFile=D:\users\richard\dev\netcourier-quick-ship\metafour-codesign.pfx
• signing file=dist\win-unpacked\resources\elevate.exe certificateFile=D:\users\richard\dev\netcourier-quick-ship\metafour-codesign.pfx
• downloading path=C:\Users\Richard\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-2.2.0 url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.2.0/winCodeSign-2.2.0.7z
• downloading parts=1 size=4.6 MB url=https://github-production-release-asset-2e65be.s3.amazonaws.com/65527128/3e14fe7e-8a02-11e8-9080-ff33360f54cd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180717%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180717T192252Z&X-Amz-Expires=300&X-Amz-Signature=6801dfe10703e2c73790d29037f353a76f80de22d9b87f918a9f4d579c256ffc&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DwinCodeSign-2.2.0.7z&response-content-type=application%2Foctet-stream
Error: Exit code: 1. Command failed: C:\Users\Richard\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-2.2.0\windows-10\x64\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f D:\users\richard\dev\netcourier-quick-ship\metafour-codesign.pfx /fd sha256 /td sha256 /d NetCourier Quick Ship /du https://github.com/richard-ive-m4/netcourier-quick-ship /as /p b2a2 /debug D:\users\richard\dev\netcourier-quick-ship\dist\win-unpacked\resources\elevate.exe
SignTool Error: The specified private key container was not found.
The following certificates were considered:
Issued to: XXXX.
Issued by: thawte SHA256 Code Signing CA
Expires: Thu Jul 09 00:59:59 2020
SHA1 hash: 1241412
Issued to: thawte Primary Root CA
Issued by: thawte Primary Root CA
Expires: Thu Jul 17 00:59:59 2036
SHA1 hash: 124124
Issued to: thawte SHA256 Code Signing CA
Issued by: thawte Primary Root CA
Expires: Sun Dec 10 00:59:59 2023
SHA1 hash: 1241244
After EKU filter, 3 certs were left.
After expiry filter, 3 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: XXX
Issued by: thawte SHA256 Code Signing CA
Expires: Thu Jul 09 00:59:59 2020
SHA1 hash: 12414
The following additional certificates will be attached:
Issued to: thawte SHA256 Code Signing CA
Issued by: thawte Primary Root CA
Expires: Sun Dec 10 00:59:59 2023
SHA1 hash: 124124
Done Adding Additional Store
SignTool Error: The specified private key container was not found.
Will be fixed / investigated this week.
Hi @develar. We you able to get to the bottom of this? Happy to help in any way I can.
Not yet. But our CI test fails with the same error. Issue on my radar.
is there now a solution to the problem?
So I'm afraid this isn't overly helpful for everyone, but I have been able to sign correctly using electron-builder.
I noticed that the Windows docs (https://docs.microsoft.com/en-us/windows/desktop/seccrypto/signtool) says:
If you want to perform dual signing and make SHA256 catalogs, you must include those files and the following additional files:
Makecat.exe Makecat.exe.manifest Microsoft.Windows.Build.Signing.mssign32.dll.manifest Mssign32.dll (downlevel version) Signtool.exe Signtool.exe.manifest
So I:
C:\Program Files (x86)\Windows Kits\10\bin\x64
return "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x64\\signtool.exe"
@richard-ive-m4 You are hero, thanks a lot :) F*** MS :(
Unfortunately the solution doesn't work for me... I just updated the electron-builder version to 20.28.2 and wanted to build but still get the same error...
Then I downloaded the Windows SDK and tested it again with the version "10.0.17134.0", but also here the same error. Currently I have Windows 10 build 17134.228 installed
I had a similar issue to yours. I have spent one day trying to figure it out.
Not sure if your problem is the exact same as mine, but in any case, here is what I did:
%USERPROFILE%\AppData\Roaming\Microsoft\Crypto\Keys
%USERPROFILE%\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX
I sorted the files by date and realized that there were three files with the same date as the day I tried to add the certificates to my storage (one for each cert). (I'm sorry, but I can't find any relationship between the file names and the certificates like thumbprint or serial, so sorting by date was my best shot)
For some malicious reason (I call it Microsoft), when I deleted the certificates it seems that my private keys ended up staying on my system.
So, after removing the certificates on the "user certificates (mmc)" and removing the private keys on both folders, I did a reboot (just in case) and voilà, everything is working properly now.
PS: My problem was not related to this project, just with Microsoft signing tools.
Also have a look at https://stackoverflow.com/a/31138059/4549776 There were 5 (!) different signtool versions installed on the system.
Here is another solution related to a problem with codesigning using electron builder on Travis Windows builds: https://travis-ci.community/t/codesigning-on-windows/1385
I want to sign my code with my own cert (now accepted by windows, it means no security warning from Smart Screen, so I don't need a verified cert at the moment).
This is not my first code sign and therefore I was very surprised when I got this error: "SignTool Error: The specified private key container was not found." (winCodeSign version: 2.1.0). I've been using an older electron builder version for a long time now and think there was a change.
Anybody have any idea what that might be? For your information, in the package.json certificateFile and certificate Password are defined and have not been changed since the last successful code sign. Cert's information is also recognized and output correctly: http://prntscr.com/k5tq1z