diff --git a/package.json b/package.json index f8d7e0a..60a9036 100644 --- a/package.json +++ b/package.json @@ -97,12 +97,13 @@ "win": { "target": { "target": "squirrel" - } + }, + "sign": "scripts/electron_winSign" }, "directories": { "output": "dist" }, - "afterSign": "scripts/electron_afterSign.js", + "afterSign": "scripts/electron_afterSign", "protocols": [{ "name": "riot", "schemes": ["riot"] diff --git a/riot.im/New_Vector_Ltd.pem b/riot.im/New_Vector_Ltd.pem new file mode 100644 index 0000000..1a34127 --- /dev/null +++ b/riot.im/New_Vector_Ltd.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF0jCCBLqgAwIBAgIRAISYBqZi3VvCUeSfHXF+cbwwDQYJKoZIhvcNAQELBQAw +gZExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO +BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTcwNQYD +VQQDEy5DT01PRE8gUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gQ29kZSBTaWduaW5n +IENBMB4XDTE3MDgyMzAwMDAwMFoXDTIwMDgyMjIzNTk1OVowgdgxETAPBgNVBAUT +CDEwODczNjYxMRMwEQYLKwYBBAGCNzwCAQMTAkdCMR0wGwYDVQQPExRQcml2YXRl +IE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCR0IxETAPBgNVBBEMCFdDMVIgNEFHMQ8w +DQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEbMBkGA1UECQwSMjYgUmVk +IExpb24gU3F1YXJlMRcwFQYDVQQKDA5OZXcgVmVjdG9yIEx0ZDEXMBUGA1UEAwwO +TmV3IFZlY3RvciBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7 +X0HP3oM/SVr6PboD03ndtYTONZDcJ/GJ3EyYi6UNrcbKjuDHwPktx9hjAhNjcVkG +lmuTEPluPj9DbvjaTrers0cQsAS1vJ0RHjLfA93Flg1ys9Q6OThUMw77FtFPtiJU +z5cSYzfFAhn/4dv7BcgGptn+Mv/8CaTu+RUZJUgoSlRWcT1TREmxkzWotbblqsHO +zjDmUg20tL5/qpt6BSWsNespf5udKQFXMtqkczBcLvBLmql0vurVcQy8BibB+Q89 +QKwRzwLgaIa7O8WEssFcW8uJe9s0SNtUy8ehbuoSxpA/DbHFwsiDbNA78vp7HrqM +qY6t6OIgLtDYBFCfe/btAgMBAAGjggHaMIIB1jAfBgNVHSMEGDAWgBTfj/MgDOnK +pgTYW1g3Kj2rRtyDSTAdBgNVHQ4EFgQUH+mDOdRkF3bYDxCWEaGB4lxiCxcwDgYD +VR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMw +EQYJYIZIAYb4QgEBBAQDAgQQMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQYBMCsw +KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMFUGA1Ud +HwROMEwwSqBIoEaGRGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUV4 +dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3JsMIGGBggrBgEFBQcBAQR6 +MHgwUAYIKwYBBQUHMAKGRGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JT +QUV4dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3J0MCQGCCsGAQUFBzAB +hhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJgYDVR0RBB8wHaAbBggrBgEFBQcI +A6APMA0MC0dCLTEwODczNjYxMA0GCSqGSIb3DQEBCwUAA4IBAQBJ2aH4aixh0aiz +4WKlK+LMVLHpQ2POE3FZYNpAW7o1q2YDGEADXdGrygPE9NCGNBXKo0CAemCYNWfX +Ov/jdoiMfeqW3vrZ66oEy8OqbvJSwK1xmomWuYw3wYPWcPVG+YbWYD2CGdQu8jTz +fzAJCpvAuY3Wji3fQjiecAC7JCSB4fBHa0ALJOmiSqKQUUpkXs5kW7O0lPBnHzNF +2tQGltXMSIrq1QfFtcreMyKlwDOxPIh360dv5aHhaeSRDRKxq7uq5ikQF2gjKx4k +ieg2HRbAW6fVPpFr4zRS5umpeZV3i06i11VQQPS/mA/OBEXyaqzx4mr6B7U6ptrp +jMqiUv2w +-----END CERTIFICATE----- diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js new file mode 100644 index 0000000..8d46d0d --- /dev/null +++ b/scripts/electron_winSign.js @@ -0,0 +1,74 @@ +const { execFile } = require('child_process'); + +// Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts +function computeSignToolArgs(options, keyContainer) { + const args = []; + + if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { + const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"; + args.push( + options.isNest || options.hash === "sha256" ? "/tr" : "/t", + options.isNest || options.hash === "sha256" ? ( + options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161" + ) : timestampingServiceUrl, + ); + } + + args.push('/kc', keyContainer); + // To use the hardware token (this should probably be less hardcoded) + args.push('/csp', 'eToken Base Cryptographic Provider'); + // The certificate file. Somehow this appears to be the only way to specify + // the cert that works. If you specify the subject name or hash, it will + // say it can't associate the private key to the certificate. + // TODO: Find a way to pass this through from the electron-builder config + // so we don't have to hard-code this here + // fwiw https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing + // is about the most useful resource on automating code signing... + args.push('/f', 'riot.im\\New_Vector_Ltd.pem'); + + if (options.hash !== "sha1") { + args.push("/fd", options.hash); + if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { + args.push("/td", "sha256"); + } + } + + // msi does not support dual-signing + if (options.isNest) { + args.push("/as"); + } + + // https://github.com/electron-userland/electron-builder/issues/2875#issuecomment-387233610 + args.push("/debug"); + // must be last argument + args.push(options.path); + + return args; +} + +exports.default = async function(options) { + const keyContainer = process.env.SIGNING_KEY_CONTAINER; + if (keyContainer === undefined) { + console.warn( + "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + + "! Skipping Windows signing. !\n" + + "! SIGNING_KEY_CONTAINER not defined. !\n" + + "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!", + ); + return; + } + + return new Promise((resolve, reject) => { + const args = ['sign'].concat(computeSignToolArgs(options, keyContainer)); + + execFile('signtool', args, {}, (error, stdout) => { + if (error) { + console.error("signtool failed with code " + error); + reject("signtool failed with code " + error); + console.log(stdout); + } else { + resolve(); + } + }); + }); +};