Using an EV HSM Code Signing Certificate on Windows

[GitBreezePaul]

electron-builder: 21.2.0
electron-updater: 4.1.2
Target: Windows

Firstly, Electron Builder and Updater are superb. On Windows, we've hit a problem though. I appreciate that code signing with EV certificates on a CI server has historically been problematic because of the USB dongle. However, you can now sign with an EV HSM (Extended Validation Hardware Security Module), which doesn't need a USB dongle. This means it can be used remotely to sign code.

Is there any plan to support this? It would be fantastic to be able to just run the build on the CI server and pump out the code signed binary. The only actual need for this at first would be the ability to call a Windows command from within electron-builder at the appropriate moment to create the code signed binary, and then use that checksum for the electron-updater so that it could be updated by our users as normal in the future. At the moment of course, the updating fails because the binary has been altered and electron-updater sees a different checksum.

So to make this work with an EV HSM certificate stored in Azure Key Vault for example, you need only call this from a remote CI server:

AzureSignTool.exe sign ^
-kvu https://MY-EV-CERTIFICATE.azure.net ^
-kvi LOGIN ^
-kvs PASSWORD ^
-kvc MY-KEY-NAME ^
-tr http://timestamp.digicert.com ^
-v ^
BINARY-TO-SIGN.EXE

If this (or another arbitrary command line call) could be made from within electron-builder to code sign and then use the output to finalise the checksum, then we could build entirely on the CI server. Sadly, without this, the CI server is a bit pointless and we have to use a local PC to do all of our building.

We've made a small donation by way of thanks for your hard work!

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[labsforge]

This is very important for CD, I can't believe that we will have to build our app on a local computer with the usb dongle.. 🤯

[GitBreezePaul]

@labsforge Yes, I discovered that this is possible but its tucked away within the documents here:

https://www.electron.build/configuration/win.html#how-do-delegate-code-signing

Essentially, electron-builder needs to call the ...config.win.sign item, which links to a JS file of your choice. This has a default export function, which you must write, which does the signing. Electron builder passes a configuration parameter into that function, which holds the path to the exe that must be signed. Using a child process, you can sign it and whatever you need to do.

[labsforge]

Oh I see! thank you

[theogravity]

See for more information:

#7605