electron-userland
Signing a windows application in Mac Os using a private key located in Yubikey (Fips 140)
- Electron-Builder Version: 23.3.3
- Node Version: 16.8
- Electron Version: 21.3.1
- Electron Type (current, beta, nightly): current
- Target: Windows
Hello everyone, last year I built and signed a Windows application from under Mac Os, with the usual config, where I specified:
win: { "target": [ { "target": "nsis", "arch": [ "x64", "ia32" ] } ] , icon: "build/1024-logo-windows.png", signingHashAlgorithms: ['sha256'], certificateFile: "certificate/output.pfx", certificatePassword: process.env.WIN_CER_PASS }
Now due to new rules June 2023. I bought a Yubikey FIPS 140 usb hardware token. I passed verification and received files like: root certificate, server certificate, etc. from Comodo.
But I can’t export the private key from Yubikey and just to replace two lines in my config (certificateFile: && certificatePassword:).
Somehow, the electron builder should see that I have a connected flash drive, and that it should look for the private key in it. How to do it? Which lines of the config should I change, what is the general logic of action? Please help anyone who has encountered this.
I'm not familiar with the new ruleset, but there is a thread on implementing the new signing process. Have you taken a look at? https://github.com/electron-userland/electron-builder/issues/7605
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@mmaietta That thread is for signing windows executables on Windows, so far as I can tell, not on Mac. That, and they were able to sign using a CI, which I'm not sure how we can do given that we can't export or share the Yubikey's private key.
@pefka Did you solve this by any chance? I'm facing the same issue.. I'm building locally on Mac, as the CI process is dead so far as I can tell.. and I want to sign my windows binaries.
@perry-mitchell , Yes. I started using a windows computer for this. It's very messy, but it works.
- I use the old scheme to create a binary from mac os (because I write code on Mac): vue-cli-service electron:build --win
in the config: sha256 left the line, commented out the rest
signingHashAlgorithms: ['sha256'],
// certificateFile: "certificate/output.pfx",
// certificatePassword: process.env.WIN_CER_PASS,
// certificateSubjectName: "xxx SOFTWARE xxx"
-
on windows I installed this filthy yubikey, having first installed the program for it there. Plus! It turns out that for this program it was necessary to install some kind of general application (something like a service, a daemon), since windows does not always detect yubikey as needed. (so 2 apps from web yubikey need to be installed)
-
wrote to yubikey support, did not receive a normal answer (never buy yubikey for yourself, this is a disgusting company)
-
using signtool I sign my application in Windows with an inserted flash drive (yubikey), a window appears in Windows with entering a PIN code for yubikey
-
the app is signed. I recalculate its hash, upload the signed program to the server and change the hash to a new one in the auto-updater
This way it just works for me. If you need terminal commands in Windows, from points 4 and 5, I can send them. They are on another computer.
Thanks for the detailed response @pefka!
It's a pity that there seems to be no integration for hardware signing in electron builder, and that we need to resort to both using Windows as well as "automating" it ourselves.
I wonder if I could actually automate this using something like windows in docker, but that may be far fetched.
If I figure out a more automatic way of doing this I'll share it here as well. Cheers
EDIT: The windows in docker solution isn't as scriptable as I'd like.. and it's so slow and heavy anyway. I'll find another way.