electron-builder
electron-builder copied to clipboard
Add support for other signtool arguments - DigiCert codesign
Currently the computeSignToolArgs can't work with DigiCert codesign with EV certificates using a USB token
const {exec} = require("builder-util")
exports.default = async function (configuration) {
const timeout = parseInt(process.env.SIGNTOOL_TIMEOUT, 10) || 10 * 60 * 1000
const tool = process.env.SIGNTOOL_PATH
let args = ["sign", "/fd", configuration.hash, "/td", configuration.hash, "/tr", "http://timestamp.digicert.com"]
args.push("/csp", "eToken Base Cryptographic Provider")
args.push("/f", process.env.SIGNTOOL_CERT_NAME)
args.push("/k", process.env.SIGNTOOL_PASSWORD)
args.push("/v", configuration.path)
try {
await exec(tool, args, {timeout, env})
} catch (e) {
if (e.message.includes("The file is being used by another process") || e.message.includes("The specified timestamp server either could not be reached")) {
console.warn(`First attempt to code sign failed, another attempt will be made in 15 seconds: ${e.message}`)
await new Promise((resolve, reject) => {
setTimeout(() => {
exec(tool, args, {timeout, env}).then(resolve).catch(reject)
}, 15000)
})
}
throw e
}
}
The password requires the format explained here
https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
So the /csp is missing from the current computeSignToolArgs and the file name currently expects a .p12 but with the USB token, you can only use a certificate without private key.
I'm not sure what the best naming would be for the addition to the sign tool args, but it would be great if this can be added as standard options as USB tokens are now required for Code signing certificates by default. .p12 or .pfx files won't be supported anymore due to updated security standards from the CAB.