.Version: 11.4.4.Target: mac, windowsI'm trying to build both a mac and windows version of an app on a computer running macOS and I want to sign them using an EV code signing certificate. These kind of certificates don't allow the export to.p12 or.pfx.When signing the mac build, the builder finds the installed certificate and uses this to sign the build.For the windows build however you need to specify a.p12 or.pfx file. It would be nice if electron-builder could also use the installed EV certificate to sign the windows build.When using signtool on windows you can specify to automatically search for the correct certificate using the /a param. Signtool sign /a /tr /td SHA256 'pathtoinstaller.exe'I don't think that mono signcode supports this /a parameter, but I maybe there is another way to accomplish this automatic certificate detection? Hi everyone!As now Microsoft requires to store private keys on smart cards, this will affect more people soon.I've managed to sign windows executables with osslsigncode on mac with its private key stored on a smart card. Here's how:.
SAC 9.0 (GA) - User’s Guide, 007-012831-001 - Revision B, ©2015 SafeNet, Inc. 14 Sac (Mac) custom installation and configuration installation file- This is a separate custom installation file, which enables administrators to distribute the SAC license. SafeNet Authentication Client 9.0 (Mac) supports the following operating systems. Double click on the file SafeNetAuthenticationClient-x64-10.3.msi on Windows, or SafeNet Authentication Client 10.1.pkg on the Mac.
install openssl, opensc and enginepkcs11 from brew. build osslsigncode from master, here's the we need, I don't know why the latest release is not updated (I've opened but the author doesn't care). call it with args:. pkcs11engine=/usr/local/lib/engines/enginepkcs11.so. Konami winx club pc game download free. pkcs11module=/usr/local/lib/opensc-pkcs11.so. key= your key slot, e.g.
01.askpass or -pass= your pin code.other args as in usual sign. Lumapix fotofusion extreme 5.4 build 100143 crack mpt. ❗️ run osslsigncode verify after sign: there's no validation by default: exe might be brokenThis is working perfectly for me here:If anyone is interested in token model which is working on both Mac and Windows, for me it's PIVKey T800. ACS tokens will not work on mac, or I haven't managed to make it work. Thanks for the instructions. Thanks to this I was able to build und use a current version of osslsigncode. Some issues I had:Building osslsigncodeAfter running autogen.sh I had to set the following variables in the Makefile: LDFLAGS = -L/usr/local/opt/openssl/libCPPFLAGS = -I/usr/local/opt/openssl/includeUsing osslsigncode.
The pkcs11module depends on the hardware token used. You can check if you are using the correct module using pkcs11-tool -module -I.
The token should be visible. Pkcs11-tool is included in opencs and is installed at /usr/local/Cellar/opensc/0.17.0/bin/pkcs11-tool. The ID for the -key paramter can also be acquired using pkcs11-tool -module -O. It is used to map private and public key, so it is the same for both and it doesn't matter which of both you are looking at.
Yes, you have to provide the -certs parameter. This was a bit surprising since the -key parameter could be used to get the public key from the token (if it is stored there too). As it turns out, osslsigncode cannot sign appx packages. Hi, thanks for your explanation!I actually did the same and codesign seems to be working properly for me, I checked generated installer withcodesign -display -verbose=4and it showed that there is the signature.
But the problem is that when I am trying to run the installer in windows the smart screen pops up warning about the lack of the signature, and there is actually none shown in file properties as well. Do you have the same? Any thoughts on how to make windows see this signature?Also, there is a typo in your sign.js script, the command inside execSync should be inside back-ticks `codesign.` to make the whole thingy work. I am using electron-builder (20.38.5) to publish, and using electron-updater (4.0.6) for installing new releases.The updater tried to sign.exe installerI'm not 100% sure I follow; the updater shouldn't be trying to sign anything.if electron-builder is successfully signing your executable, all you need to do is publish it to your repo/server with the -publish option.If it helps, my publish script essentially boils down to build -mwl -publish always.
This builds - signs - publishes, in that order. Yeah, I gave up on the codesign idea as well. Sorry to mislead anybody (I was mislead myself!).Good to know the osslsigncode option works - however, I do have one more solution that I've verified as working correctly. This option assumes your Mac has Java installed; so, if you don't want/need Java for any other reason, going the osslsigncode route would probably save some precious hard drive space. If anyone is unsure if they have Java installed, just run java -v.
The new solution:. You will still need to install the driver for your hardware token (I'm using the ). cd into your project's root directory and run:npm i -D readline-sync && curl -OJL '&& curl -L ' tar -xvz -strip-components=1This will install as a dev dependency (for prompting/obscuring your password input), download the tool, a, and a that points to the driver's eToken framework. Replace 'YOURCERTNAMEHERE' on line 1 of sign.js to be the actual name of your certificate. Setup the Windows build parameters in package.json. I just tried your Java solution and it works. I also tried osslsigncode but could not get it to work due to some problems with openssl on my Mac.
Thank you all for the solutions. A side note for others: sometimes my Safenet client (10.2) fails to put certficate into my keychain even though the physical token is plugged in. To fix that, reboot Mac with the physical token plugged in. Then in the login screen, you Mac will ask you for certificate PIN/Password to log you in. After entering certificate PIN/Password, the certifcate is guaranteed to be in your Keychain Access (Not necessarily in 'login' keychain though). Yesterday I worked on this for Mac. I got this working as follows.
Also using a Safenet 5110 token. The main problem is the lack of engine pkcs 11 in brew (it is still linked to openssl 1.0 instead of openssl 1.1). Osslsigncode sign -verbose -pkcs11engine /usr/local/mac-dev/lib/engines-1.1/libpkcs11.dylib -pkcs11module /usr/local/lib/libeTPkcs11.dylib -h sha256 -n app-name -t -certs /link/to/cert.pem -key 'key-id-here ' -pass 'password ' -in /link/to/app.exe -out /link/to/app.signed.exeRemarks:. Make sure you use the correct engine and module. The engine I am using is /usr/local/mac-dev/lib/engines-1.1/libpkcs11.dylib and the module is /usr/local/lib/libeTPkcs11.dylib.
You do not need to install enginepkcs11 via brew or otherwise, it is included in libp11 since version 0.4. If you get no slot with a token was found or some errors like sc connect card error and Card is invalid or cannot be handled you are not using the correct module, make sure you use correct one (for me it was located at /usr/local/lib/libeTPkcs11.dylib). Use the osslsigncode which is mentioned in the list of URLs. This is the actually maintained library, requires OpenSSL 1.1, includes the patch which is mentioned earlier in this thread.