From 4dbbf2bb151cb6aade18081bcbde642472775e93 Mon Sep 17 00:00:00 2001 From: David Baker Date: Wed, 4 Mar 2020 16:55:12 +0000 Subject: [PATCH 01/18] Add a windows signing script As electron builder doesn't support supplying a key container name which is the only way we can supply the token passphrase --- package.json | 5 +-- scripts/electron_winSign.js | 63 +++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 scripts/electron_winSign.js diff --git a/package.json b/package.json index 16aa687..7d2d0a9 100644 --- a/package.json +++ b/package.json @@ -97,11 +97,12 @@ "win": { "target": { "target": "squirrel" - } + }, + "sign": "scripts/electron_winSign" }, "directories": { "output": "dist" }, - "afterSign": "scripts/electron_afterSign.js" + "afterSign": "scripts/electron_afterSign" } } diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js new file mode 100644 index 0000000..609872b --- /dev/null +++ b/scripts/electron_winSign.js @@ -0,0 +1,63 @@ +const { execFile } = require('child_process'); +const path = require('path'); + +// Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts +function getSigntoolArgs(options, keyContainer, inputFile) { + if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { + const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"; + args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl); + } + + // We simplify and just specify the certificate subject name for our purposes + options.push('/n', options.certificateSubjectName); + options.push('/kc', keyContainer); + + if (options.hash !== "sha1") { + args.push("/fd", options.hash) + if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { + args.push("/td", "sha256") + } + } + + // msi does not support dual-signing + if (options.isNest) { + args.push("/as") + } + + // https://github.com/electron-userland/electron-builder/issues/2875#issuecomment-387233610 + args.push("/debug") + // must be last argument + args.push(inputFile) +} + +exports.default = async function(cfg) { + const keyContainer = process.env.SIGNING_KEY_CONTAINER; + if (keyContainer === undefined) { + console.warn( + "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + + "! Skipping Windows signing. !\n" + + "! SIGNING_KEY_CONTAINER not defined. !\n" + + "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!", + ); + return; + } + + const inPath = cfg.path; + const appOutDir = path.dirname(inPath); + + return new Promise((resolve, reject) => { + const args = ['sign']; + args.push(....computeSignToolArgs(cfg.options, keyContainer, cfg.path)); + + console.log("Running signtool with args", args); + execFile('signtool', args, {}, (error, stdout) => { + if (error) { + console.error("osslsigncode failed with code " + error); + reject("osslsigncode failed with code " + code); + console.log(stdout); + } else { + resolve(); + } + }); + }); +}; From da606bcd6dc03bc7261b15442162df4d191cc86c Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:22:06 +0000 Subject: [PATCH 02/18] Too many dots --- scripts/electron_winSign.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 609872b..3ceb836 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -47,7 +47,7 @@ exports.default = async function(cfg) { return new Promise((resolve, reject) => { const args = ['sign']; - args.push(....computeSignToolArgs(cfg.options, keyContainer, cfg.path)); + args.push(...computeSignToolArgs(cfg.options, keyContainer, cfg.path)); console.log("Running signtool with args", args); execFile('signtool', args, {}, (error, stdout) => { From 8cbef5b5e51aba23eff862ce4d4989ce5a47392f Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:29:11 +0000 Subject: [PATCH 03/18] name the function the same thing --- scripts/electron_winSign.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 3ceb836..c35b0e3 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -2,7 +2,7 @@ const { execFile } = require('child_process'); const path = require('path'); // Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts -function getSigntoolArgs(options, keyContainer, inputFile) { +function computeSignToolArgs(options, keyContainer, inputFile) { if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"; args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl); From cee741038887d091002fd726b9eefddf0c0ee17b Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:32:02 +0000 Subject: [PATCH 04/18] also just one level of options --- scripts/electron_winSign.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index c35b0e3..17751b3 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -4,7 +4,7 @@ const path = require('path'); // Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts function computeSignToolArgs(options, keyContainer, inputFile) { if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { - const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"; + const timestampingServiceUrl = options.timeStampServer || "http://timestamp.digicert.com"; args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl); } From 6e8f8dcdce29e1ca0907fd9fc57896ef3b11b8dc Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:35:09 +0000 Subject: [PATCH 05/18] Define the args variable also it's not osslsigncode anymore --- scripts/electron_winSign.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 17751b3..7b86e08 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -3,6 +3,8 @@ const path = require('path'); // Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts function computeSignToolArgs(options, keyContainer, inputFile) { + const args = []; + if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { const timestampingServiceUrl = options.timeStampServer || "http://timestamp.digicert.com"; args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl); @@ -52,8 +54,8 @@ exports.default = async function(cfg) { console.log("Running signtool with args", args); execFile('signtool', args, {}, (error, stdout) => { if (error) { - console.error("osslsigncode failed with code " + error); - reject("osslsigncode failed with code " + code); + console.error("signtool failed with code " + error); + reject("signtool failed with code " + code); console.log(stdout); } else { resolve(); From f961513212d272f7f81e97f29ec350f942afa10c Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:38:13 +0000 Subject: [PATCH 06/18] args, not options --- scripts/electron_winSign.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 7b86e08..5ac9c9d 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -11,8 +11,8 @@ function computeSignToolArgs(options, keyContainer, inputFile) { } // We simplify and just specify the certificate subject name for our purposes - options.push('/n', options.certificateSubjectName); - options.push('/kc', keyContainer); + args.push('/n', options.certificateSubjectName); + args.push('/kc', keyContainer); if (options.hash !== "sha1") { args.push("/fd", options.hash) From 5c85de49349466e1c6a21d8141e34d993408887a Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:47:09 +0000 Subject: [PATCH 07/18] Fix synatx hopefully --- scripts/electron_winSign.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 5ac9c9d..f02b6a0 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -48,8 +48,7 @@ exports.default = async function(cfg) { const appOutDir = path.dirname(inPath); return new Promise((resolve, reject) => { - const args = ['sign']; - args.push(...computeSignToolArgs(cfg.options, keyContainer, cfg.path)); + const args = ['sign'].concat(computeSignToolArgs(cfg.options, keyContainer, cfg.path)); console.log("Running signtool with args", args); execFile('signtool', args, {}, (error, stdout) => { From 763b176b2ee2a070c1000837ceffefa3371aa08a Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:49:55 +0000 Subject: [PATCH 08/18] variable name --- scripts/electron_winSign.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index f02b6a0..72ae312 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -54,7 +54,7 @@ exports.default = async function(cfg) { execFile('signtool', args, {}, (error, stdout) => { if (error) { console.error("signtool failed with code " + error); - reject("signtool failed with code " + code); + reject("signtool failed with code " + error); console.log(stdout); } else { resolve(); From 7f25e2387887fdf9734ea9195d4e0dab12099e15 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:50:53 +0000 Subject: [PATCH 09/18] Also try actually returning the value --- scripts/electron_winSign.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 72ae312..e18a2c3 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -30,6 +30,8 @@ function computeSignToolArgs(options, keyContainer, inputFile) { args.push("/debug") // must be last argument args.push(inputFile) + + return args; } exports.default = async function(cfg) { From 1585e370d39426038cd4e87feba9ac8834644d9b Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 14:55:14 +0000 Subject: [PATCH 10/18] It's options.options in the original so keep it that way --- scripts/electron_winSign.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index e18a2c3..51bfd3b 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -2,16 +2,16 @@ const { execFile } = require('child_process'); const path = require('path'); // Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts -function computeSignToolArgs(options, keyContainer, inputFile) { +function computeSignToolArgs(options, keyContainer) { const args = []; if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { - const timestampingServiceUrl = options.timeStampServer || "http://timestamp.digicert.com"; + const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"; args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl); } // We simplify and just specify the certificate subject name for our purposes - args.push('/n', options.certificateSubjectName); + args.push('/n', options.options.certificateSubjectName); args.push('/kc', keyContainer); if (options.hash !== "sha1") { @@ -29,12 +29,12 @@ function computeSignToolArgs(options, keyContainer, inputFile) { // https://github.com/electron-userland/electron-builder/issues/2875#issuecomment-387233610 args.push("/debug") // must be last argument - args.push(inputFile) + args.push(options.path) return args; } -exports.default = async function(cfg) { +exports.default = async function(options) { const keyContainer = process.env.SIGNING_KEY_CONTAINER; if (keyContainer === undefined) { console.warn( @@ -46,11 +46,11 @@ exports.default = async function(cfg) { return; } - const inPath = cfg.path; + const inPath = options.path; const appOutDir = path.dirname(inPath); return new Promise((resolve, reject) => { - const args = ['sign'].concat(computeSignToolArgs(cfg.options, keyContainer, cfg.path)); + const args = ['sign'].concat(computeSignToolArgs(options, keyContainer)); console.log("Running signtool with args", args); execFile('signtool', args, {}, (error, stdout) => { From bffee2d4c3e6ec085915f7d3a9749770ade2edeb Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 15:01:50 +0000 Subject: [PATCH 11/18] Add csp option which is apparently required --- scripts/electron_winSign.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 51bfd3b..75838e5 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -13,6 +13,8 @@ function computeSignToolArgs(options, keyContainer) { // We simplify and just specify the certificate subject name for our purposes args.push('/n', options.options.certificateSubjectName); args.push('/kc', keyContainer); + // To use the hardware token (this should probably be less hardcoded) + args.push('/csp', 'eToken Base Cryptographic Provider'); if (options.hash !== "sha1") { args.push("/fd", options.hash) From d403b866908772c4ca1b4d0433c0ef1f32f09535 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 15:34:36 +0000 Subject: [PATCH 12/18] Removing logging --- scripts/electron_winSign.js | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 75838e5..718782d 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -54,7 +54,6 @@ exports.default = async function(options) { return new Promise((resolve, reject) => { const args = ['sign'].concat(computeSignToolArgs(options, keyContainer)); - console.log("Running signtool with args", args); execFile('signtool', args, {}, (error, stdout) => { if (error) { console.error("signtool failed with code " + error); From 781eff95ac9a44ebd07a27744c09360ad8c6e6b1 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 15:51:39 +0000 Subject: [PATCH 13/18] hardcode cert sha1 to test --- scripts/electron_winSign.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 718782d..9cdb464 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -11,10 +11,11 @@ function computeSignToolArgs(options, keyContainer) { } // We simplify and just specify the certificate subject name for our purposes - args.push('/n', options.options.certificateSubjectName); + //args.push('/n', options.options.certificateSubjectName); args.push('/kc', keyContainer); // To use the hardware token (this should probably be less hardcoded) args.push('/csp', 'eToken Base Cryptographic Provider'); + args.push('/sha1', '83:0B:DA:5F:80:07:B1:74:6D:E9:32:DD:EC:8A:28:5B:69:41:3D:6C'); if (options.hash !== "sha1") { args.push("/fd", options.hash) From 83746b570942590687adf8d0c5495f5e75bd9c5a Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 15:52:54 +0000 Subject: [PATCH 14/18] let's try this format --- scripts/electron_winSign.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 9cdb464..fa2af06 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -15,7 +15,7 @@ function computeSignToolArgs(options, keyContainer) { args.push('/kc', keyContainer); // To use the hardware token (this should probably be less hardcoded) args.push('/csp', 'eToken Base Cryptographic Provider'); - args.push('/sha1', '83:0B:DA:5F:80:07:B1:74:6D:E9:32:DD:EC:8A:28:5B:69:41:3D:6C'); + args.push('/sha1', '830BDA5F8007B1746DE932DDEC8A285B69413D6C'); if (options.hash !== "sha1") { args.push("/fd", options.hash) From aad1e8388e522eb8b3bb3170fe782682a186c3e7 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 15:57:25 +0000 Subject: [PATCH 15/18] Nope, that didn't work. Try the cert file, --- riot.im/New_Vector_Ltd.pem | 34 ++++++++++++++++++++++++++++++++++ scripts/electron_winSign.js | 2 +- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 riot.im/New_Vector_Ltd.pem diff --git a/riot.im/New_Vector_Ltd.pem b/riot.im/New_Vector_Ltd.pem new file mode 100644 index 0000000..1a34127 --- /dev/null +++ b/riot.im/New_Vector_Ltd.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF0jCCBLqgAwIBAgIRAISYBqZi3VvCUeSfHXF+cbwwDQYJKoZIhvcNAQELBQAw +gZExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO +BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTcwNQYD +VQQDEy5DT01PRE8gUlNBIEV4dGVuZGVkIFZhbGlkYXRpb24gQ29kZSBTaWduaW5n +IENBMB4XDTE3MDgyMzAwMDAwMFoXDTIwMDgyMjIzNTk1OVowgdgxETAPBgNVBAUT +CDEwODczNjYxMRMwEQYLKwYBBAGCNzwCAQMTAkdCMR0wGwYDVQQPExRQcml2YXRl +IE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCR0IxETAPBgNVBBEMCFdDMVIgNEFHMQ8w +DQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEbMBkGA1UECQwSMjYgUmVk +IExpb24gU3F1YXJlMRcwFQYDVQQKDA5OZXcgVmVjdG9yIEx0ZDEXMBUGA1UEAwwO +TmV3IFZlY3RvciBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7 +X0HP3oM/SVr6PboD03ndtYTONZDcJ/GJ3EyYi6UNrcbKjuDHwPktx9hjAhNjcVkG +lmuTEPluPj9DbvjaTrers0cQsAS1vJ0RHjLfA93Flg1ys9Q6OThUMw77FtFPtiJU +z5cSYzfFAhn/4dv7BcgGptn+Mv/8CaTu+RUZJUgoSlRWcT1TREmxkzWotbblqsHO +zjDmUg20tL5/qpt6BSWsNespf5udKQFXMtqkczBcLvBLmql0vurVcQy8BibB+Q89 +QKwRzwLgaIa7O8WEssFcW8uJe9s0SNtUy8ehbuoSxpA/DbHFwsiDbNA78vp7HrqM +qY6t6OIgLtDYBFCfe/btAgMBAAGjggHaMIIB1jAfBgNVHSMEGDAWgBTfj/MgDOnK +pgTYW1g3Kj2rRtyDSTAdBgNVHQ4EFgQUH+mDOdRkF3bYDxCWEaGB4lxiCxcwDgYD +VR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMw +EQYJYIZIAYb4QgEBBAQDAgQQMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQYBMCsw +KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMFUGA1Ud +HwROMEwwSqBIoEaGRGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUV4 +dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3JsMIGGBggrBgEFBQcBAQR6 +MHgwUAYIKwYBBQUHMAKGRGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JT +QUV4dGVuZGVkVmFsaWRhdGlvbkNvZGVTaWduaW5nQ0EuY3J0MCQGCCsGAQUFBzAB +hhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJgYDVR0RBB8wHaAbBggrBgEFBQcI +A6APMA0MC0dCLTEwODczNjYxMA0GCSqGSIb3DQEBCwUAA4IBAQBJ2aH4aixh0aiz +4WKlK+LMVLHpQ2POE3FZYNpAW7o1q2YDGEADXdGrygPE9NCGNBXKo0CAemCYNWfX +Ov/jdoiMfeqW3vrZ66oEy8OqbvJSwK1xmomWuYw3wYPWcPVG+YbWYD2CGdQu8jTz +fzAJCpvAuY3Wji3fQjiecAC7JCSB4fBHa0ALJOmiSqKQUUpkXs5kW7O0lPBnHzNF +2tQGltXMSIrq1QfFtcreMyKlwDOxPIh360dv5aHhaeSRDRKxq7uq5ikQF2gjKx4k +ieg2HRbAW6fVPpFr4zRS5umpeZV3i06i11VQQPS/mA/OBEXyaqzx4mr6B7U6ptrp +jMqiUv2w +-----END CERTIFICATE----- diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index fa2af06..039bdb0 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -15,7 +15,7 @@ function computeSignToolArgs(options, keyContainer) { args.push('/kc', keyContainer); // To use the hardware token (this should probably be less hardcoded) args.push('/csp', 'eToken Base Cryptographic Provider'); - args.push('/sha1', '830BDA5F8007B1746DE932DDEC8A285B69413D6C'); + args.push('/f', 'riot.im\\New_Vector_Ltd.pem'); if (options.hash !== "sha1") { args.push("/fd", options.hash) From e2a6cc3196da6f0485882d8a8fc53b0e1c31d1d2 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 16:14:51 +0000 Subject: [PATCH 16/18] Remove certificateSubjectName which didn't work and comment cert file hard-coded hack --- scripts/electron_winSign.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 039bdb0..43f0380 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -10,11 +10,14 @@ function computeSignToolArgs(options, keyContainer) { args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl); } - // We simplify and just specify the certificate subject name for our purposes - //args.push('/n', options.options.certificateSubjectName); args.push('/kc', keyContainer); // To use the hardware token (this should probably be less hardcoded) args.push('/csp', 'eToken Base Cryptographic Provider'); + // The certificate file. Somehow this appears to be the only way to specify + // the cert that works. If you specify the subject name or hash, it will + // say it can't associate the private key to the certificate. + // TODO: Find a way to pass this through from the electron-builder config + // so we don't have to hard-code this here args.push('/f', 'riot.im\\New_Vector_Ltd.pem'); if (options.hash !== "sha1") { From ecbfbe73a0517cf949e774ca52169cf3f44e9f49 Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 16:18:55 +0000 Subject: [PATCH 17/18] Add really useful stackoverflow link --- scripts/electron_winSign.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 43f0380..9fd1616 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -18,6 +18,8 @@ function computeSignToolArgs(options, keyContainer) { // say it can't associate the private key to the certificate. // TODO: Find a way to pass this through from the electron-builder config // so we don't have to hard-code this here + // fwiw https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing + // is about the most useful resource on automating code signing... args.push('/f', 'riot.im\\New_Vector_Ltd.pem'); if (options.hash !== "sha1") { From 0304096e46ee5c33e83f522713cd6ed22c6eccbf Mon Sep 17 00:00:00 2001 From: David Baker Date: Fri, 6 Mar 2020 16:42:24 +0000 Subject: [PATCH 18/18] lint --- scripts/electron_winSign.js | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/scripts/electron_winSign.js b/scripts/electron_winSign.js index 9fd1616..8d46d0d 100644 --- a/scripts/electron_winSign.js +++ b/scripts/electron_winSign.js @@ -1,15 +1,19 @@ const { execFile } = require('child_process'); -const path = require('path'); // Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts function computeSignToolArgs(options, keyContainer) { const args = []; if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { - const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"; - args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl); + const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com"; + args.push( + options.isNest || options.hash === "sha256" ? "/tr" : "/t", + options.isNest || options.hash === "sha256" ? ( + options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161" + ) : timestampingServiceUrl, + ); } - + args.push('/kc', keyContainer); // To use the hardware token (this should probably be less hardcoded) args.push('/csp', 'eToken Base Cryptographic Provider'); @@ -23,21 +27,21 @@ function computeSignToolArgs(options, keyContainer) { args.push('/f', 'riot.im\\New_Vector_Ltd.pem'); if (options.hash !== "sha1") { - args.push("/fd", options.hash) + args.push("/fd", options.hash); if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") { - args.push("/td", "sha256") + args.push("/td", "sha256"); } } - + // msi does not support dual-signing if (options.isNest) { - args.push("/as") + args.push("/as"); } - + // https://github.com/electron-userland/electron-builder/issues/2875#issuecomment-387233610 - args.push("/debug") + args.push("/debug"); // must be last argument - args.push(options.path) + args.push(options.path); return args; } @@ -54,12 +58,9 @@ exports.default = async function(options) { return; } - const inPath = options.path; - const appOutDir = path.dirname(inPath); - return new Promise((resolve, reject) => { const args = ['sign'].concat(computeSignToolArgs(options, keyContainer)); - + execFile('signtool', args, {}, (error, stdout) => { if (error) { console.error("signtool failed with code " + error);