Update Docs for cloud-based EV code signing

[PascalPixel]

Pre-flight checklist

• [X] I have read the contribution documentation for this project.
• [X] I agree to follow the code of conduct that this project uses.
• [X] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Problem description

The docs haven't been updated for a year now regarding windows code signing, electron's own docs have however and make reference to windowsSign in forge, but I would love to have examples of how to use windowsSign on forge in combination with MakerSquirrel, as I seem unable to get it working with ssl.com's cloud signing after several months of stumbling in and out of trying 🤡

Proposed solution

Update the docs with examples for;

• Certum EV code signing certificate
• DigiCert EV code signing certificate
• Entrust EV code signing certificate
• GlobalSign EV code signing certificate
• IdenTrust EV code signing certificate
• Sectigo (formerly Comodo) EV code signing certificate
• SSL.com EV code signing certificate

Alternatives considered

I tried Electron Forge SSL Code Sign Plugin but it runs too late and doesn't update the RELEASES file, meaning no updates are installed on Windows due to a checksum mismatch.

Additional information

No response

[PascalPixel]

Here's mine that works for SSL.com;

const forgeConfig: ForgeConfig = {
  packagerConfig: {
    // invalid according to typescript, 
    // but this is the only place it works, 
    // all the other places you can put this key will *not* pick it up 
    // during the build process and use the built-in signTool
    // @ts-ignore
    signToolPath: path.resolve(
      "C:\\Users\\circleci\\project\\CodeSignTool.bat",
    ),
    signWithParams: [
      `-override="true"`,
      `-credential_id="${process.env.WINDOWS_CERT_CREDENTIAL_ID}"`,
      `-username="${process.env.WINDOWS_CERT_USER_NAME}"`,
      `-password="${process.env.WINDOWS_CERT_PASSWORD}"`,
      `-totp_secret="${process.env.WINDOWS_CERT_USER_TOTP}"`,
    ],
  },
};

export default forgeConfig;

[ndench]

I've been trying to use the WindowsSign options with MakerWix. According to the code, the config is just passed directly into MSICreator (https://github.com/electron/forge/blob/main/packages/maker/wix/src/MakerWix.ts#L40) which supports the option (https://github.com/electron-userland/electron-wix-msi/blob/master/src/creator.ts#L74) so maybe it's as simple as updating the MakerWixConfig interface (https://github.com/electron/forge/blob/main/packages/maker/wix/src/Config.ts#L3)?

[PascalPixel]

as my last code snippet said, even though typescript reports it as invalid, i found this the only place to put the signing config that actually picks up the options; packagerConfig

give that a try?

[NickBurnam]

I am also running into a similar situation using an SSL EV certificate and the @electron-forge/maker-squirrel. I set up the SSL eSigner CKA using the SSL guide to automate with signtool.exe and got it working on its own outside of Forge. Unfortunately, I need to use the SSL CodeSignTool pre-signing malware scan as well, but I'm not sure how to use it within the Forge build config.

[Ananym]

I've also been trying all day to get Squirrel to actually use the windowsSign config that is described in the docs, with no luck. I'm definitely misunderstanding something here.

Running in the package step is going to cause squirrel's various generated binaries to go unsigned, which isn't going to work for us.