electron-builder icon indicating copy to clipboard operation
electron-builder copied to clipboard

Published 20 hours ago verified publisher icon electron-userland

CSC_KEY_PASSWORD doesn't work with DigiCert EV hardware token on Windows

Open nsinghbs opened this issue 2 years ago • 14 comments

  • Electron-Builder Version: 22.10.5
  • Node Version: 12
  • Electron Version: 1.7.9
  • Electron Type (current, beta, nightly): current

2.23.3

  • Target: windows 10

electron-builder is not accepting CSC_KEY_PASSWORD set password. I am using a Digicert EV Hardware Token with Windows but the Safenet Auth Client windows keep popping up asking for the password . It happens at-least 10 times , so i have to manually enter the password 10 times. Is anyone else facing this problem ?

nsinghbs avatar Aug 10 '21 20:08 nsinghbs

I have the same issue. I use a USB dongle for EV code signing. It keeps asking for PIN code, at least 6 times during electron-build process. I tried CSC_KEY_PASSWORD and WIN_CSC_KEY_PASSWORD as said in the doc

adriencarbonaro avatar Aug 18 '21 15:08 adriencarbonaro

I am having the same issue even with including the win.certificateSubjectName as outlined in the documentation here. That section also states:

it is not possible to export the EV Certificate as it is bound to a physical USB dongle. Thus, you can’t export the certificate for signing code on a CI, such as AppVeyor.

However, you can export the certificate, just not its private key. And, following the steps in the accepted answer on this SO post, you can sign applications in a CI environment as long as you own the server and have the USB token plugged in--no need to manually unlock the EV cert token with every execution of signtool.exe, even after reboot.

It would be fantastic if electron-builder would support the use of .pem certs and enable this useful, albeit undocumented, feature of Windows signtool.

parkerholladay avatar Sep 02 '21 22:09 parkerholladay

I have the same issue. I use a USB dongle for EV code signing. It keeps asking for PIN code, at least 6 times during electron-build process. I tried CSC_KEY_PASSWORD and WIN_CSC_KEY_PASSWORD as said in the doc

@adriencarbonaro what variables in settings do you use for the EV certificate to be used during your build and what do you point them too?

Example, certificateSubjectName to "<subjectname">

PatricNox avatar Sep 17 '21 13:09 PatricNox

I use certificateSha1 rather than certificateSubjectName. electron-builder finds it but always asks for dongle password.

adriencarbonaro avatar Sep 22 '21 11:09 adriencarbonaro

I use certificateSha1 rather than certificateSubjectName. electron-builder finds it but always asks for dongle password.

If you sign using jSign, you can pass the token pin code in the command like so:

java
-jar jsign-3.1.jar
--keystore eToken.cfg
--storepass "${tokenPassword()}"
--storetype PKCS11
--tsaurl http://timestamp.digicert.com
--alias "tokenName"

PatricNox avatar Sep 23 '21 13:09 PatricNox

Is it possible to use certificateSha1 with WIN_CSC_KEY_PASSWORD in electron-builder ?

adriencarbonaro avatar Sep 23 '21 14:09 adriencarbonaro

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Apr 17 '22 14:04 stale[bot]

Bumping this to prevent it from being closed. Not being able to use an EV Code Signing cert without being "physically" signed into our build machine makes for a very cumbersome CI and deploy process for our electron apps.

If electron-builder supported the exported EV .pem certs and additional env vars that could enable use of these types of certs as described in this SO post, it would be a game changer.

parkerholladay avatar Apr 21 '22 16:04 parkerholladay

Also running into this issue, I'm currently automating our code signing procedure and this is a huge blocker not being able to sign it without having to physically enter the password in.

LieutenantKernel avatar May 16 '22 20:05 LieutenantKernel

Wanted to bump this as this is an important step in our build process and there seems to be no solution.

LieutenantKernel avatar Aug 09 '22 23:08 LieutenantKernel

Also running into this issue, I'm currently automating our code signing procedure and this is a huge blocker not being able to sign it without having to physically enter the password in.

I haven't yet made an automated deploy around this, but what we've achieved to do is that the password gets entered by a d efined config.

The project solution is a electron with vuejs, this is how I managed to get our code signing functioning after days of googling around:

https://github.com/ebourg/jsign/issues/79#issuecomment-638382470

using this gist https://gist.github.com/Littlebigdondon/08bab1f3936d185cdd068608689cc444

PatricNox avatar Aug 12 '22 07:08 PatricNox

I'm also having the same issue. I need to type the password 5-6 times when signing my app

TiagoSilvaPereira avatar Mar 08 '24 19:03 TiagoSilvaPereira