Open mahnunchik opened 1 year ago
rathboma
commented
1 year ago Hi, I have to renew my cert for Beekeeper Studio and I'm seeing the same problem. Is it not possible to just download a private key anymore?
I feel like desktop apps are taking backwards steps.
Hoping someone can help here with a workaround!
erickzhao
commented
1 year ago Haven't tried this out myself, but major cloud services now provide CloudHSM and KMS services that you can integrate into your CI pipeline.
At a high level, you would want to get those set up in the CI environment and pass the correct parameters to signtool via the winstaller signWithParams parameter.
rathboma
commented
1 year ago Sure, but the Amazon HSM starts at $1000 per month minimum. ($1.45/hour)
MarshallOfSound
commented
1 year ago This only impacts EV certs, if you're the kind of organization that needs EV but doesn't have the resources to spin up an HSM then that's unfortunately the New Reality.
There are other cloudhsm~esque solutions (none of these are endorsements)
Some of which may be cheaper idk
rathboma
commented
1 year ago Now even OV certs require a HSM it seems? So it's hardware token or bust as far as I can tell?
petervanderwalt
commented
1 year ago Does Electron-builder allow the use of https://knowledge.digicert.com/solution/digicert-keylocker.html then? I have Digicert EV certs, used to just provide the PFX and Password as secrets to Github actions and Electron-builder took care of it (very well and easy) but now I need a hardware token? (Can't plug USB into Githubs servers) so will need to use some other method.
petervanderwalt
commented
1 year ago https://docs.digicert.com/en/digicert-one/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html would that work with github actions and electron-builder? How would it tie in - used to do it as a step as part of electron-builder by specifying WIN_CSC https://github.com/OpenBuilds/OpenBuilds-CONTROL/blob/f3c9b79ecdea7bac5a151a3fbd776d5272162c6d/.github/workflows/build.yml#L40-L41
petervanderwalt
commented
1 year ago https://docs.digicert.com/en/digicert-one/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html looks like it should work - will test tomorrow or next week
evoactivity
commented
1 year ago @petervanderwalt Hi Peter, just wondering how your testing went? Are you able to share you actions workflow?
petervanderwalt
commented
1 year ago @petervanderwalt Hi Peter, just wondering how your testing went? Are you able to share you actions workflow?
Still haven't gotten it working, though in our case procurement of the Keylocker/HSM is the delay, business side of things
cwiggins999
commented
11 months ago I'm diving into this process now, so just wondered if any updates on use of the HSM? I'm using Electron-forge. Thanks!
petervanderwalt
commented
10 months ago I'm diving into this process now, so just wondered if any updates on use of the HSM? I'm using Electron-forge. Thanks!
I havent been able to circle back to this yet myself, but checkout https://github.com/OpenBuilds/OpenBuilds-CONTROL/issues/321#issuecomment-1798598572
casaout
commented
5 months ago @petervanderwalt Any updates? I am in a similar situation... (small app, users cannot install app since Windows SmartScreen is blocking it)
petervanderwalt
commented
5 months ago @petervanderwalt Any updates? I am in a similar situation... (small app, users cannot install app since Windows SmartScreen is blocking it)
Finally got mine sorted.
Using digicert + keylocker to store the cert, and Github actions + electron builder to build and sign the app
https://github.com/OpenBuilds/OpenBuilds-CONTROL/issues/321#issuecomment-2044444457
Could anybody help to figure out how to sign windows electron application on CI? Maybe there is option to export well known
pfxcertificate locally?