Windows code signing fails

[nop33]

Context

We are using electron-builder to package our app to a Windows executable. In the past @killerwhile and I have created a custom signing script to:

1. Download the code signing tool from https://github.com/SSLcom/CodeSignTool
2. Extract it
3. Write a CodeSignTool config file
4. Sign our exe

• The reason why we went for a custom signing script can be found here: Update expired Windows certificate and release workflow #265 (comment)
• and the signing script can be found here: https://github.com/alephium/alephium-frontend/blob/next/apps/desktop-wallet/.signWindows.js

Problem

I got the following error when I tried to release an RC today (from the next branch). It originates from the execution of this line: https://github.com/alephium/alephium-frontend/blob/next/apps/desktop-wallet/.signWindows.js#L121

🏃‍♂️ Running signing command...
Error: key status is disabled
The system cannot find the file specified.
  ⨯ Command failed: cmd.exe -/c D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\codesign\CodeSignTool-v1.2.7-windows\CodeSignTool.bat sign -username="***" -*** -credential_id="***" -totp_secret="***" -input_file_path="D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\dist\win-unpacked\Alephium.exe" -output_dir_path="D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\release\temp" && move "D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\release\temp\Alephium.exe" "D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\dist\win-unpacked"  failedTask=build stackTrace=Error: Command failed: cmd.exe -/c D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\codesign\CodeSignTool-v1.2.7-windows\CodeSignTool.bat sign -username="***" -*** -credential_id="***" -totp_secret="***" -input_file_path="D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\dist\win-unpacked\Alephium.exe" -output_dir_path="D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\release\temp" && move "D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\release\temp\Alephium.exe" "D:\a\alephium-frontend\alephium-frontend\apps\desktop-wallet\dist\win-unpacked"

Options

1. We could try and debug the issue with out custom signing script
2. We could try and remove our custom signing script without introducing the problem that it solves (see Update expired Windows certificate and release workflow #265 (comment))
3. It'd be useful if we have a backup workflow for signing the windows executable outside of the CI

Option 1: fix custom signing script

So far I have not managed to find what the actual problem is. TBC

Option 2: Rely on electron-builder signing capabilities

I tried to see what happens if I simply remove our custom sign script (0ccad9d). The release workflow succeeded but our exe was not signed.

5 months ago, someone commented:

If you wanted to more heavily leverage the code signing support in electron-builder with no custom signing script you can use the eSigner CKA: https://github.com/element-hq/element-desktop/blob/develop/.github/workflows/build_windows.yaml#L117-L154

Moreover, reading the electron-builder docs, what I understand is that all we need to provide are these 2 env vars and electron-builder will take care of signing:

1. CSC_LINK: The HTTPS link (or base64-encoded data, or file:// link, or local path) to certificate (*.p12 or *.pfx file).
2. CSC_KEY_PASSWORD: The password to decrypt the certificate given in CSC_LINK.

I am not sure, however, what values to provide for these env vars.

Relevant:

• How to sign in windows installer using electron builder: https://stackoverflow.com/questions/50874926/how-to-sign-in-windows-installer-using-electron-builder

Relevant links

• Electron Code Signing docs: https://www.electronjs.org/docs/latest/tutorial/code-signing#signing-windows-builds
• Electron Builder Code Signing docs: https://www.electron.build/code-signing

[nop33]

While debugging this issue I addressed the following issue:

• Get rid of action-electron-builder #269
• in this PR: Simplify desktop wallet build and release #760

It might be worth continuing the debugging on top of that branch.

[nop33]

Today we discovered that the certificate has been revoked.

[nop33]

Together with Benoit's help, the issue was addressed by issuing a new certificate through SSL.com. I've kept a screenshot guide on Notion on how to do that. Closing issue