2020-03-04 17:55:12 +01:00
|
|
|
const { execFile } = require('child_process');
|
|
|
|
|
|
|
|
// Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts
|
2020-03-06 15:55:14 +01:00
|
|
|
function computeSignToolArgs(options, keyContainer) {
|
2020-03-06 15:35:09 +01:00
|
|
|
const args = [];
|
|
|
|
|
2020-03-04 17:55:12 +01:00
|
|
|
if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") {
|
2020-03-06 17:42:24 +01:00
|
|
|
const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com";
|
|
|
|
args.push(
|
|
|
|
options.isNest || options.hash === "sha256" ? "/tr" : "/t",
|
|
|
|
options.isNest || options.hash === "sha256" ? (
|
|
|
|
options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161"
|
|
|
|
) : timestampingServiceUrl,
|
|
|
|
);
|
2020-03-04 17:55:12 +01:00
|
|
|
}
|
2020-03-06 17:42:24 +01:00
|
|
|
|
2020-03-06 15:38:13 +01:00
|
|
|
args.push('/kc', keyContainer);
|
2020-03-06 16:01:50 +01:00
|
|
|
// To use the hardware token (this should probably be less hardcoded)
|
|
|
|
args.push('/csp', 'eToken Base Cryptographic Provider');
|
2020-03-06 17:14:51 +01:00
|
|
|
// The certificate file. Somehow this appears to be the only way to specify
|
|
|
|
// the cert that works. If you specify the subject name or hash, it will
|
|
|
|
// say it can't associate the private key to the certificate.
|
|
|
|
// TODO: Find a way to pass this through from the electron-builder config
|
|
|
|
// so we don't have to hard-code this here
|
2020-03-06 17:18:55 +01:00
|
|
|
// fwiw https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing
|
|
|
|
// is about the most useful resource on automating code signing...
|
2020-07-01 16:30:53 +02:00
|
|
|
args.push('/f', 'element.io\\New_Vector_Ltd.pem');
|
2020-03-04 17:55:12 +01:00
|
|
|
|
|
|
|
if (options.hash !== "sha1") {
|
2020-03-06 17:42:24 +01:00
|
|
|
args.push("/fd", options.hash);
|
2020-03-04 17:55:12 +01:00
|
|
|
if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") {
|
2020-03-06 17:42:24 +01:00
|
|
|
args.push("/td", "sha256");
|
2020-03-04 17:55:12 +01:00
|
|
|
}
|
|
|
|
}
|
2020-03-06 17:42:24 +01:00
|
|
|
|
2020-03-04 17:55:12 +01:00
|
|
|
// msi does not support dual-signing
|
|
|
|
if (options.isNest) {
|
2020-03-06 17:42:24 +01:00
|
|
|
args.push("/as");
|
2020-03-04 17:55:12 +01:00
|
|
|
}
|
2020-03-06 17:42:24 +01:00
|
|
|
|
2020-03-04 17:55:12 +01:00
|
|
|
// https://github.com/electron-userland/electron-builder/issues/2875#issuecomment-387233610
|
2020-03-06 17:42:24 +01:00
|
|
|
args.push("/debug");
|
2020-03-04 17:55:12 +01:00
|
|
|
// must be last argument
|
2020-03-06 17:42:24 +01:00
|
|
|
args.push(options.path);
|
2020-03-06 15:50:53 +01:00
|
|
|
|
|
|
|
return args;
|
2020-03-04 17:55:12 +01:00
|
|
|
}
|
|
|
|
|
2020-03-06 15:55:14 +01:00
|
|
|
exports.default = async function(options) {
|
2020-03-04 17:55:12 +01:00
|
|
|
const keyContainer = process.env.SIGNING_KEY_CONTAINER;
|
|
|
|
if (keyContainer === undefined) {
|
|
|
|
console.warn(
|
|
|
|
"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" +
|
|
|
|
"! Skipping Windows signing. !\n" +
|
|
|
|
"! SIGNING_KEY_CONTAINER not defined. !\n" +
|
|
|
|
"!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!",
|
|
|
|
);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
return new Promise((resolve, reject) => {
|
2020-03-06 15:55:14 +01:00
|
|
|
const args = ['sign'].concat(computeSignToolArgs(options, keyContainer));
|
2020-03-06 17:42:24 +01:00
|
|
|
|
2020-03-04 17:55:12 +01:00
|
|
|
execFile('signtool', args, {}, (error, stdout) => {
|
|
|
|
if (error) {
|
2020-03-06 15:35:09 +01:00
|
|
|
console.error("signtool failed with code " + error);
|
2020-03-06 15:49:55 +01:00
|
|
|
reject("signtool failed with code " + error);
|
2020-03-04 17:55:12 +01:00
|
|
|
console.log(stdout);
|
|
|
|
} else {
|
|
|
|
resolve();
|
|
|
|
}
|
|
|
|
});
|
|
|
|
});
|
|
|
|
};
|