windows-installer
windows-installer copied to clipboard
electron
Is codesigning supposed to work from non-windows?
When I try to build the app from a non-windows machine (Ubuntu 15.10 in this case), I get the following error:
Error: Failed with exit code: 255
Output:
System.AggregateException: One or more errors occurred. ---> System.Exception: Failed to sign, command invoked was: '[path censored]/node_modules/electron-winstaller/vendor/signtool.exe sign /a /f "/[path censored]/build/codesigningcertificate.pfx" /p "[password censored]" [path truncated]/.local/share/SquirrelTemp/tempa/lib/net45/[filename censored].exe'
There's also a long stacktrace not included for the sake of brevity.
Solution: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Signing_an_executable_with_Authenticode
Supposedly, according to the MDN article, wine supports code signing. Is the article out of date?
I'm working on a fix for this currently to use https://sourceforge.net/projects/osslsigncode/ to sign windows assets from mac.
My plan is to add support for it here for installers and on electron-packager for .exe.
I tried to use signcode (instead of osslsigncode) originally from that mdn article but it does not appear to support sha256 signatures which Windows 10 requires I believe.
@kevinsawicki Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?
Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?
signcode only supports sha1 or md5 I believe.
Usage: signcode [options] filename
-spc spc Software Publisher Certificate file
-v pvk Private Key file
-a md5 | sha1 Hash Algorithm (default: MD5)
-$ indivisual | commercial Signature type
https://github.com/mono/mono/blob/5e80f625b93706328c9a22b1cbb73300f2ea2186/mcs/tools/security/signcode.cs#L38
Atom switched to dual signing via native signtool awhile ago with sha1 and sha256 signatures and I couldn't get that working with signcode.
electron-builder discussion here: https://github.com/electron-userland/electron-builder/issues/314
@kevinsawicki just published kevinsawicki/signcode which I think should be used in windows-installer when building from OS X.
I'm currently trying to do the signing myself using osslsigncode or signcode to sign on my mac for the time being. But I'm curious as to what all files I have to sign? Do I sign all the Squirrel .exe's and my built .exe, then build it and sign the installer?
I have started work to use https://github.com/kevinsawicki/signcode in the electron-builder (PR will be in this package, of course).
@mermaid Don't reinvent the wheel. Just use electron-builder — https://github.com/electron-userland/electron-builder/issues/314#issuecomment-212269472
Fixed in my fork/electron-builder — PR will be this/next week.
@develar It's a good question though. I'm wondering if all the .exe files need to be signed, or not?
@feross Answered in linked comment — "electron-builder uses signcode to sign app exe regardless of Squirrel.Windows" Yes, you should sign app exe as well. Maybe no one force you to do it, but you should.
@feross http://stackoverflow.com/a/4716079 But only @kevinsawicki or @paulcbetts can answer as experts.
@feross You can but it doesn't really make a difference to AV. You should sign your executables, including Squirrel.exe which is hard to do by signing yourself, which is why Squirrel has it built-in as part of its packager.
electron-builder since 3.20 (will be released soon) will correctly sign your app — dual code sign (sha1+sha256) + timestamp (by default windows-installer on Windows sign using sha1 without timestamp).
Sorry, I am not going to prepare PR since intermediate https://github.com/electron/windows-installer/pull/77 is rejected and I don't want to waste my time and resolve merge conflicts. Anyway solution mostly implemented as part of signcode npm module (PR will be if https://github.com/kevinsawicki/signcode/issues/4)
@kevinsawicki We still want to use your signcode package when we're on non-Windows platforms, right?
@develar Is your PR https://github.com/electron/windows-installer/pull/77 required for signcode integration? Seems like an unrelated issue, no?
We still want to use your signcode package when we're on non-Windows platforms, right?
Yup, currently it only works on Mac, but Linux support should be straightforward, just haven't added it yet.
For all the Googlers ending up in this issue looking for a solution, I've built a dirty workaround that gets the job done. https://github.com/dustinblackman/mono-signtool
Just landed here trying to sign my Windows electron application that's being built on my macOS dev machine. @dustinblackman's workaround seems to sidestep the problem but I'm curious if anything was merged into either this repo or electron-builder to support signing Windows builds on macOS.
electron-builder supports codesign on all platforms, including Linux. The only limitation — EV certificate on smartcards not supported.
So, I managed to get around this on Ubuntu 16.04 with a manual sign step using osslsigncode
I'm only signing the .exe and not the contents.
Looking at the thread, it looks like we can drop https://github.com/kevinsawicki/signcode here to support windows code-signing from non-windows from a Mac. Is that correct? Is there any known blocker for that?
(Or use electron-builder indeed)
You can sign exe file in macos using jsign, which is basically java version of Microsoft Authenticode. I had to spend my afternoon for this. Hope this helps.
java -jar bin/lib/jsign/jsign-4.2.jar \
--storetype PKCS12 \
--keystore ???.pfx \
--tsaurl http://timestamp.sectigo.com \
--alias '???' \
--storepass '???' \
"out/make/squirrel.windows/x64/???.exe"
- https://www.electron.build/tutorials/code-signing-windows-apps-on-unix.html#signing-windows-app-on-maclinux-using-jsign
- https://github.com/ebourg/jsign/releases
Hi @feross, do you have any idea on how to codesign the electron application in circleci for mac build ?
