Sign Windows application with external tool

[drjasonharrison]

in #109 @paulcbetts wrote: "It signs all of your executables and update.exe, then signs the outer MSI/EXE"

Is it possible to sign the executables with a different tool? We have an enterprise application signing tool that keeps certificates off of our development machines.

I am writing code to

1. run electron-packager on our project
2. sign the output of electron-packager
3. call electron-wininstaller to create the installer
4. sign the output of electron-wininstaller

Unfortunately, update.exe is not available in any of these steps.

A separate issue that the resources/*.asar files are not signed. This leaves a potential attack vector open. https://github.com/electron-userland/electron-packager/issues/656

[drjasonharrison]

Possible solution:

1. after electron-builder runs, sign using external tool all executables including node-modules/electron-winstaller/vendor/update.exe.
2. continue with electron-winstaller to create output project-installer.exe
3. sign project-installer.exe with external tool

It appears that squirrel/squirrel-windows has had a few pull requests to support external code signing tools other than the bundled signtool.exe. None of them have been merged.

• https://github.com/Squirrel/Squirrel.Windows/pull/505
• https://github.com/Squirrel/Squirrel.Windows/pull/522

Another option is replacing the signtool.exe in node-modules/electron-winstaller/vendor with a different version, here a small tool that calls osslsigncode:

• https://github.com/dustinblackman/mono-signtool

[develar]

Do you use electron-builder or electron-packager?

[drjasonharrison]

electron-packager, final answer

[develar]

JFYI: https://github.com/electron-userland/electron-builder/issues/1299