Configure electron-builder to only sign specified files

[gumispl]

• Version: 21.2.0

• Electron Version: 6.1.11
• Electron Type (current, beta, nightly): stable
• electron-updater version: 4.3.4
• Target: win x64

I'm using EV Code Signing certificate to avoid Windows SmartScreen warnings while launching NSIS. I just added 'certificateSubjectName' property to my 'builderOptions' section and it auto-magically works. But my EV Code Signing certificate requires USB smart card and it is asking me many many times to enter PIN for it during signing process. This is very annoying and frustrating.

Is there a way to tell Windows to remember PIN? Or maybe it is possible to configure electron-builder to only sign final installer exe?

I tried to sign final installer exe manually with signtool.exe instead of relying on electron-builder but then latest.yml have wrong hashes and auto-updater breaks.

[kzimny]

You can enable single sign on as follow:

[gumispl]

Unfortunately I'm not using SafeNet Client. I have certificate from CERTUM which is supplied with client app proCertum Card Manager which doesn't have such option.

[kzimny]

why don't you ask the certificate provider?

[StaZhu]

Unfortunately I'm not using SafeNet Client. I have certificate from CERTUM which is supplied with client app proCertum Card Manager which doesn't have such option.

Having same issue like you, I think electron-builder should make win.certificatePassword options suitable for both EV and Non EV Cert.

codes below seems that as long as /p arg is provided, then we will not need input password manually.

// app-builder-lib/src/codeSign/windowsCodeSign.ts
const password = options.cscInfo == null ? null : (options.cscInfo as FileCodeSigningInfo).password
  if (password) {
    args.push(isWin ? "/p" : "-pass", password)
  }

[gumispl]

why don't you ask the certificate provider?

I had asked and unfortunately they have no solution.

Having same issue like you, I think electron-builder should make win.certificatePassword options suitable for both EV and Non EV Cert. codes below seems that as long as /p arg is provided, then we will not need input password manually.

I think that this is not that easy as this argument serves a different purpose:

/p Specify a password to use when opening the PFX file.

I see two possible work-arounds:

1. electron-builder should allow us to specify which files to sign (eg. I don't want to sign third party libraries)
2. I haven't checked it but it seems that electron-builder is signing every exe independently instead of bulk sign (signtool.exe accepts multiple files at once). This would greatly reduce PIN dialogs (not entirely as final installer must be processed separately)

[stale[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[gumispl]

I'm still looking for a solution.

[stale[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[melbarra88]

I'm still looking for a solution.

did you find a solution ?

[gumispl]

did you find a solution ?

Unfortunately no.