electron-userland / electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box
https://www.electron.build
MIT License
13.61k stars 1.74k forks source link

Add support for other signtool arguments - DigiCert codesign #8249

Open benoist opened 3 months ago

benoist commented 3 months ago

Currently the computeSignToolArgs can't work with DigiCert codesign with EV certificates using a USB token

const {exec} = require("builder-util")

exports.default = async function (configuration) {
  const timeout = parseInt(process.env.SIGNTOOL_TIMEOUT, 10) || 10 * 60 * 1000
  const tool = process.env.SIGNTOOL_PATH

  let args = ["sign", "/fd", configuration.hash, "/td", configuration.hash, "/tr", "http://timestamp.digicert.com"]
  args.push("/csp", "eToken Base Cryptographic Provider")
  args.push("/f", process.env.SIGNTOOL_CERT_NAME)
  args.push("/k", process.env.SIGNTOOL_PASSWORD)

  args.push("/v", configuration.path)

  try {
    await exec(tool, args, {timeout, env})
  } catch (e) {
    if (e.message.includes("The file is being used by another process") || e.message.includes("The specified timestamp server either could not be reached")) {
      console.warn(`First attempt to code sign failed, another attempt will be made in 15 seconds: ${e.message}`)
      await new Promise((resolve, reject) => {
        setTimeout(() => {
          exec(tool, args, {timeout, env}).then(resolve).catch(reject)
        }, 15000)
      })
    }
    throw e
  }
}

The password requires the format explained here

https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken

So the /csp is missing from the current computeSignToolArgs and the file name currently expects a .p12 but with the USB token, you can only use a certificate without private key.

I'm not sure what the best naming would be for the addition to the sign tool args, but it would be great if this can be added as standard options as USB tokens are now required for Code signing certificates by default. .p12 or .pfx files won't be supported anymore due to updated security standards from the CAB.

mmaietta commented 3 months ago

Great callout. I'm looking at the code and there's a lot of isWin logic

Most notably, I'm not sure what the different arg would be for running it when vmRequired = true as that executes within a Parallels VM it looks like (link) https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/app-builder-lib/src/codeSign/windowsCodeSign.ts#L158-L166

github-actions[bot] commented 2 weeks ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.