Merge pull request #40 from vector-im/dbkr/winsign

Add a windows signing script
2025-01-18 23:44:59 +01:00 · 2020-03-06 17:23:53 +00:00 · 2020-03-06 17:23:53 +00:00 · 2fe6040c23
commit 2fe6040c23
parent 6637787366 0304096e46
3 changed files with 111 additions and 2 deletions
--- a/package.json
+++ b/package.json
@ -97,12 +97,13 @@
    "win": {
      "target": {
        "target": "squirrel"
-      }
+      },
+      "sign": "scripts/electron_winSign"
    },
    "directories": {
      "output": "dist"
    },
-    "afterSign": "scripts/electron_afterSign.js",
+    "afterSign": "scripts/electron_afterSign",
    "protocols": [{
      "name": "riot",
      "schemes": ["riot"]
--- a/riot.im/New_Vector_Ltd.pem
+++ b/riot.im/New_Vector_Ltd.pem
@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF0jCCBLqgAwIBAgIRAISYBqZi3VvCUeSfHXF+cbwwDQYJKoZIhvcNAQELBQAw
+gZExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
+BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTcwNQYD
+VQQDEy5DT01PRE8gUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gQ29kZSBTaWduaW5n
+IENBMB4XDTE3MDgyMzAwMDAwMFoXDTIwMDgyMjIzNTk1OVowgdgxETAPBgNVBAUT
+CDEwODczNjYxMRMwEQYLKwYBBAGCNzwCAQMTAkdCMR0wGwYDVQQPExRQcml2YXRl
+IE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCR0IxETAPBgNVBBEMCFdDMVIgNEFHMQ8w
+DQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEbMBkGA1UECQwSMjYgUmVk
+IExpb24gU3F1YXJlMRcwFQYDVQQKDA5OZXcgVmVjdG9yIEx0ZDEXMBUGA1UEAwwO
+TmV3IFZlY3RvciBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
+X0HP3oM/SVr6PboD03ndtYTONZDcJ/GJ3EyYi6UNrcbKjuDHwPktx9hjAhNjcVkG
+lmuTEPluPj9DbvjaTrers0cQsAS1vJ0RHjLfA93Flg1ys9Q6OThUMw77FtFPtiJU
+z5cSYzfFAhn/4dv7BcgGptn+Mv/8CaTu+RUZJUgoSlRWcT1TREmxkzWotbblqsHO
+zjDmUg20tL5/qpt6BSWsNespf5udKQFXMtqkczBcLvBLmql0vurVcQy8BibB+Q89
+QKwRzwLgaIa7O8WEssFcW8uJe9s0SNtUy8ehbuoSxpA/DbHFwsiDbNA78vp7HrqM
+qY6t6OIgLtDYBFCfe/btAgMBAAGjggHaMIIB1jAfBgNVHSMEGDAWgBTfj/MgDOnK
+pgTYW1g3Kj2rRtyDSTAdBgNVHQ4EFgQUH+mDOdRkF3bYDxCWEaGB4lxiCxcwDgYD
+VR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMw
+EQYJYIZIAYb4QgEBBAQDAgQQMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQYBMCsw
+KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMFUGA1Ud
+HwROMEwwSqBIoEaGRGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUV4
+dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3JsMIGGBggrBgEFBQcBAQR6
+MHgwUAYIKwYBBQUHMAKGRGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JT
+QUV4dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3J0MCQGCCsGAQUFBzAB
+hhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJgYDVR0RBB8wHaAbBggrBgEFBQcI
+A6APMA0MC0dCLTEwODczNjYxMA0GCSqGSIb3DQEBCwUAA4IBAQBJ2aH4aixh0aiz
+4WKlK+LMVLHpQ2POE3FZYNpAW7o1q2YDGEADXdGrygPE9NCGNBXKo0CAemCYNWfX
+Ov/jdoiMfeqW3vrZ66oEy8OqbvJSwK1xmomWuYw3wYPWcPVG+YbWYD2CGdQu8jTz
+fzAJCpvAuY3Wji3fQjiecAC7JCSB4fBHa0ALJOmiSqKQUUpkXs5kW7O0lPBnHzNF
+2tQGltXMSIrq1QfFtcreMyKlwDOxPIh360dv5aHhaeSRDRKxq7uq5ikQF2gjKx4k
+ieg2HRbAW6fVPpFr4zRS5umpeZV3i06i11VQQPS/mA/OBEXyaqzx4mr6B7U6ptrp
+jMqiUv2w
+-----END CERTIFICATE-----
--- a/scripts/electron_winSign.js
+++ b/scripts/electron_winSign.js
@ -0,0 +1,74 @@
+const { execFile } = require('child_process');
+
+// Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts
+function computeSignToolArgs(options, keyContainer) {
+    const args = [];
+
+    if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") {
+        const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com";
+        args.push(
+            options.isNest || options.hash === "sha256" ? "/tr" : "/t",
+            options.isNest || options.hash === "sha256" ? (
+                options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161"
+            ) : timestampingServiceUrl,
+        );
+    }
+
+    args.push('/kc', keyContainer);
+    // To use the hardware token (this should probably be less hardcoded)
+    args.push('/csp', 'eToken Base Cryptographic Provider');
+    // The certificate file. Somehow this appears to be the only way to specify
+    // the cert that works. If you specify the subject name or hash, it will
+    // say it can't associate the private key to the certificate.
+    // TODO: Find a way to pass this through from the electron-builder config
+    // so we don't have to hard-code this here
+    // fwiw https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing
+    // is about the most useful resource on automating code signing...
+    args.push('/f', 'riot.im\\New_Vector_Ltd.pem');
+
+    if (options.hash !== "sha1") {
+        args.push("/fd", options.hash);
+        if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") {
+            args.push("/td", "sha256");
+        }
+    }
+
+    // msi does not support dual-signing
+    if (options.isNest) {
+      args.push("/as");
+    }
+
+    // https://github.com/electron-userland/electron-builder/issues/2875#issuecomment-387233610
+    args.push("/debug");
+    // must be last argument
+    args.push(options.path);
+
+    return args;
+}
+
+exports.default = async function(options) {
+    const keyContainer = process.env.SIGNING_KEY_CONTAINER;
+    if (keyContainer === undefined) {
+        console.warn(
+            "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" +
+            "! Skipping Windows signing.          !\n" +
+            "! SIGNING_KEY_CONTAINER not defined. !\n" +
+            "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!",
+        );
+        return;
+    }
+
+    return new Promise((resolve, reject) => {
+        const args = ['sign'].concat(computeSignToolArgs(options, keyContainer));
+
+        execFile('signtool', args, {}, (error, stdout) => {
+            if (error) {
+                console.error("signtool failed with code " + error);
+                reject("signtool failed with code " + error);
+                console.log(stdout);
+            } else {
+                resolve();
+            }
+        });
+    });
+};