CSC_KEY_PASSWORD doesn't work with DigiCert EV hardware token on Windows

[nsinghbs]

• Electron-Builder Version: 22.10.5

• Node Version: 12

• Electron Version: 1.7.9
• Electron Type (current, beta, nightly): current

  2.23.3

• Target: windows 10

electron-builder is not accepting CSC_KEY_PASSWORD set password. I am using a Digicert EV Hardware Token with Windows but the Safenet Auth Client windows keep popping up asking for the password . It happens at-least 10 times , so i have to manually enter the password 10 times. Is anyone else facing this problem ?

[adriencarbonaro]

I have the same issue. I use a USB dongle for EV code signing. It keeps asking for PIN code, at least 6 times during electron-build process. I tried CSC_KEY_PASSWORD and WIN_CSC_KEY_PASSWORD as said in the doc

[parkerholladay]

I am having the same issue even with including the win.certificateSubjectName as outlined in the documentation here. That section also states:

it is not possible to export the EV Certificate as it is bound to a physical USB dongle. Thus, you can’t export the certificate for signing code on a CI, such as AppVeyor.

However, you can export the certificate, just not its private key. And, following the steps in the accepted answer on this SO post, you can sign applications in a CI environment as long as you own the server and have the USB token plugged in--no need to manually unlock the EV cert token with every execution of signtool.exe, even after reboot.

It would be fantastic if electron-builder would support the use of .pem certs and enable this useful, albeit undocumented, feature of Windows signtool.

[PatricNox]

I have the same issue. I use a USB dongle for EV code signing. It keeps asking for PIN code, at least 6 times during electron-build process. I tried CSC_KEY_PASSWORD and WIN_CSC_KEY_PASSWORD as said in the doc

@adriencarbonaro what variables in settings do you use for the EV certificate to be used during your build and what do you point them too?

Example, certificateSubjectName to "<subjectname">

[adriencarbonaro]

I use certificateSha1 rather than certificateSubjectName. electron-builder finds it but always asks for dongle password.

[PatricNox]

I use certificateSha1 rather than certificateSubjectName. electron-builder finds it but always asks for dongle password.

If you sign using jSign, you can pass the token pin code in the command like so:

java \ -jar jsign-3.1.jar \ --keystore eToken.cfg \ --storepass "${tokenPassword()}" \ --storetype PKCS11 \ --tsaurl http://timestamp.digicert.com \ --alias "tokenName"

[adriencarbonaro]

Is it possible to use certificateSha1 with WIN_CSC_KEY_PASSWORD in electron-builder ?

[stale[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[parkerholladay]

Bumping this to prevent it from being closed. Not being able to use an EV Code Signing cert without being "physically" signed into our build machine makes for a very cumbersome CI and deploy process for our electron apps.

If electron-builder supported the exported EV .pem certs and additional env vars that could enable use of these types of certs as described in this SO post, it would be a game changer.

[LieutenantKernel]

Also running into this issue, I'm currently automating our code signing procedure and this is a huge blocker not being able to sign it without having to physically enter the password in.

[LieutenantKernel]

Wanted to bump this as this is an important step in our build process and there seems to be no solution.

[PatricNox]

Also running into this issue, I'm currently automating our code signing procedure and this is a huge blocker not being able to sign it without having to physically enter the password in.

I haven't yet made an automated deploy around this, but what we've achieved to do is that the password gets entered by a d efined config.

The project solution is a electron with vuejs, this is how I managed to get our code signing functioning after days of googling around:

https://github.com/ebourg/jsign/issues/79#issuecomment-638382470

using this gist https://gist.github.com/Littlebigdondon/08bab1f3936d185cdd068608689cc444

[TiagoSilvaPereira]

I'm also having the same issue. I need to type the password 5-6 times when signing my app

[yuzhou721]

I am the same, the password has been configured, but still requires entering the password, is there any solution

[PatricNox]

This is how I bypass the "Please enter the password for the hardware token" step when signing in a Vue+Electron project. The same setup can be done with whatever though.

.env

# Code signing
 CSC_LINK=./code_sign/cert.p12
 CSC_KEY_PASSWORD=<something>

vue.config.js

win: {
          ...
          sign: "./code_sign/ev_sign/sign.js",
          ...
}

code_sign/ev_sign/sign.js

const CERTIFICATE_NAME = process.env.TOKEN_ALIAS;

exports.default = async function(configuration) {
  const tokenPassword = () => {
    if (!process.env.TOKEN_KEY) {
      process.env.TOKEN_KEY = require("readline-sync").question(
        "\n\n\tPlease enter the password for the hardware token: ",
        {
          hideEchoBack: false,
        },
      );
    }
    return process.env.TOKEN_KEY;
  };

  require("child_process").execSync(
    `java \
    -jar jsign-3.1.jar \
    --keystore eToken.cfg \
    --storepass "${tokenPassword()}" \                        // this is how we skip "require password" step
    --storetype PKCS11 \
    --tsaurl http://timestamp.digicert.com \
    --alias "${CERTIFICATE_NAME}" \
    "${configuration.path}"
    `,
    {
      stdio: "inherit",
    },
  );
};

The real magic happens here in the sign.js file.