Is codesigning supposed to work from non-windows?

[jkudish]

When I try to build the app from a non-windows machine (Ubuntu 15.10 in this case), I get the following error:

Error: Failed with exit code: 255
Output:
System.AggregateException: One or more errors occurred. ---> System.Exception: Failed to sign, command invoked was: '[path censored]/node_modules/electron-winstaller/vendor/signtool.exe sign /a /f "/[path censored]/build/codesigningcertificate.pfx" /p "[password censored]" [path truncated]/.local/share/SquirrelTemp/tempa/lib/net45/[filename censored].exe'

There's also a long stacktrace not included for the sake of brevity.

[anaisbetts]

It doesn't at the moment, wine doesn't correctly support code signing

[develar]

Solution: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Signing_an_executable_with_Authenticode

[feross]

Supposedly, according to the MDN article, wine supports code signing. Is the article out of date?

[kevinsawicki]

I'm working on a fix for this currently to use https://sourceforge.net/projects/osslsigncode/ to sign windows assets from mac.

My plan is to add support for it here for installers and on electron-packager for .exe.

[kevinsawicki]

I tried to use signcode (instead of osslsigncode) originally from that mdn article but it does not appear to support sha256 signatures which Windows 10 requires I believe.

[feross]

@kevinsawicki Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?

[feross]

Also, thanks for working on this!

[kevinsawicki]

Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?

signcode only supports sha1 or md5 I believe.

Usage: signcode [options] filename

    -spc spc    Software Publisher Certificate file
    -v pvk      Private Key file
    -a md5 | sha1   Hash Algorithm (default: MD5)
    -$ indivisual | commercial  Signature type

https://github.com/mono/mono/blob/5e80f625b93706328c9a22b1cbb73300f2ea2186/mcs/tools/security/signcode.cs#L38

[kevinsawicki]

Atom switched to dual signing via native signtool awhile ago with sha1 and sha256 signatures and I couldn't get that working with signcode.

[feross]

electron-builder discussion here: https://github.com/electron-userland/electron-builder/issues/314

[feross]

@kevinsawicki just published kevinsawicki/signcode which I think should be used in windows-installer when building from OS X.

[mermaid]

I'm currently trying to do the signing myself using osslsigncode or signcode to sign on my mac for the time being. But I'm curious as to what all files I have to sign? Do I sign all the Squirrel .exe's and my built .exe, then build it and sign the installer?

[develar]

I have started work to use https://github.com/kevinsawicki/signcode in the electron-builder (PR will be in this package, of course).

[develar]

@mermaid Don't reinvent the wheel. Just use electron-builder — https://github.com/electron-userland/electron-builder/issues/314#issuecomment-212269472

Fixed in my fork/electron-builder — PR will be this/next week.

[feross]

@develar It's a good question though. I'm wondering if all the .exe files need to be signed, or not?

[develar]

@feross Answered in linked comment — "electron-builder uses signcode to sign app exe regardless of Squirrel.Windows" Yes, you should sign app exe as well. Maybe no one force you to do it, but you should.

[feross]

@develar Shouldn't the .dlls also be signed?

[develar]

@feross http://stackoverflow.com/a/4716079 But only @kevinsawicki or @paulcbetts can answer as experts.

[anaisbetts]

@feross You can but it doesn't really make a difference to AV. You should sign your executables, including Squirrel.exe which is hard to do by signing yourself, which is why Squirrel has it built-in as part of its packager.

[develar]

electron-builder since 3.20 (will be released soon) will correctly sign your app — dual code sign (sha1+sha256) + timestamp (by default windows-installer on Windows sign using sha1 without timestamp).

Sorry, I am not going to prepare PR since intermediate https://github.com/electron/windows-installer/pull/77 is rejected and I don't want to waste my time and resolve merge conflicts. Anyway solution mostly implemented as part of signcode npm module (PR will be if https://github.com/kevinsawicki/signcode/issues/4)

[feross]

@kevinsawicki We still want to use your signcode package when we're on non-Windows platforms, right?

@develar Is your PR https://github.com/electron/windows-installer/pull/77 required for signcode integration? Seems like an unrelated issue, no?

[kevinsawicki]

We still want to use your signcode package when we're on non-Windows platforms, right?

Yup, currently it only works on Mac, but Linux support should be straightforward, just haven't added it yet.

[dustinblackman]

For all the Googlers ending up in this issue looking for a solution, I've built a dirty workaround that gets the job done. https://github.com/dustinblackman/mono-signtool

[weedgrease]

Just landed here trying to sign my Windows electron application that's being built on my macOS dev machine. @dustinblackman's workaround seems to sidestep the problem but I'm curious if anything was merged into either this repo or electron-builder to support signing Windows builds on macOS.

[develar]

electron-builder supports codesign on all platforms, including Linux. The only limitation — EV certificate on smartcards not supported.

[mavrick]

cheeky bump

[mavrick]

So, I managed to get around this on Ubuntu 16.04 with a manual sign step using osslsigncode

I'm only signing the .exe and not the contents.

[alexstrat]

Looking at the thread, it looks like we can drop https://github.com/kevinsawicki/signcode here to support windows code-signing from non-windows from a Mac. Is that correct? Is there any known blocker for that?

(Or use electron-builder indeed)

[danishin]

You can sign exe file in macos using jsign, which is basically java version of Microsoft Authenticode. I had to spend my afternoon for this. Hope this helps.

java -jar bin/lib/jsign/jsign-4.2.jar \
  --storetype PKCS12 \
  --keystore ???.pfx \
  --tsaurl http://timestamp.sectigo.com \
  --alias '???' \
  --storepass '???' \
  "out/make/squirrel.windows/x64/???.exe"

• https://www.electron.build/tutorials/code-signing-windows-apps-on-unix.html#signing-windows-app-on-maclinux-using-jsign
• https://github.com/ebourg/jsign/releases

[reddybhavanish]

Hi @feross, do you have any idea on how to codesign the electron application in circleci for mac build ?