Add a windows signing script

As electron builder doesn't support supplying a key container name which is the only way we can supply the token passphrase
2025-01-31 05:29:58 +01:00 · 2020-03-04 16:55:12 +00:00 · 2020-03-04 16:55:12 +00:00 · 4dbbf2bb15
commit 4dbbf2bb15
parent 88e51bd458
2 changed files with 66 additions and 2 deletions
--- a/package.json
+++ b/package.json
@ -97,11 +97,12 @@
    "win": {
      "target": {
        "target": "squirrel"
-      }
+      },
+      "sign": "scripts/electron_winSign"
    },
    "directories": {
      "output": "dist"
    },
-    "afterSign": "scripts/electron_afterSign.js"
+    "afterSign": "scripts/electron_afterSign"
  }
 }
--- a/scripts/electron_winSign.js
+++ b/scripts/electron_winSign.js
@ -0,0 +1,63 @@
+const { execFile } = require('child_process');
+const path = require('path');
+
+// Loosely based on computeSignToolArgs from app-builder-lib/src/codeSign/windowsCodeSign.ts
+function getSigntoolArgs(options, keyContainer, inputFile) {
+    if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") {
+      const timestampingServiceUrl = options.options.timeStampServer || "http://timestamp.digicert.com";
+      args.push(options.isNest || options.hash === "sha256" ? "/tr" : "/t", options.isNest || options.hash === "sha256" ? (options.options.rfc3161TimeStampServer || "http://timestamp.comodoca.com/rfc3161") : timestampingServiceUrl);
+    }
+ 
+    // We simplify and just specify the certificate subject name for our purposes
+    options.push('/n', options.certificateSubjectName);
+    options.push('/kc', keyContainer);
+
+    if (options.hash !== "sha1") {
+        args.push("/fd", options.hash)
+        if (process.env.ELECTRON_BUILDER_OFFLINE !== "true") {
+            args.push("/td", "sha256")
+        }
+    }
+ 
+    // msi does not support dual-signing
+    if (options.isNest) {
+      args.push("/as")
+    }
+ 
+    // https://github.com/electron-userland/electron-builder/issues/2875#issuecomment-387233610
+    args.push("/debug")
+    // must be last argument
+    args.push(inputFile)
+}
+
+exports.default = async function(cfg) {
+    const keyContainer = process.env.SIGNING_KEY_CONTAINER;
+    if (keyContainer === undefined) {
+        console.warn(
+            "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" +
+            "! Skipping Windows signing.          !\n" +
+            "! SIGNING_KEY_CONTAINER not defined. !\n" +
+            "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!",
+        );
+        return;
+    }
+
+    const inPath = cfg.path;
+    const appOutDir = path.dirname(inPath);
+
+    return new Promise((resolve, reject) => {
+        const args = ['sign'];
+        args.push(....computeSignToolArgs(cfg.options, keyContainer, cfg.path));
+        
+        console.log("Running signtool with args", args);
+        execFile('signtool', args, {}, (error, stdout) => {
+            if (error) {
+                console.error("osslsigncode failed with code " + error);
+                reject("osslsigncode failed with code " + code);
+                console.log(stdout);
+            } else {
+                resolve();
+            }
+        });
+    });
+};