Is codesigning supposed to work from non-windows? #27

Open
jkudish opened this Issue Mar 6, 2016 · 28 comments

Comments

Projects
None yet
@jkudish

jkudish commented Mar 6, 2016

When I try to build the app from a non-windows machine (Ubuntu 15.10 in this case), I get the following error:

Error: Failed with exit code: 255
Output:
System.AggregateException: One or more errors occurred. ---> System.Exception: Failed to sign, command invoked was: '[path censored]/node_modules/electron-winstaller/vendor/signtool.exe sign /a /f "/[path censored]/build/codesigningcertificate.pfx" /p "[password censored]" [path truncated]/.local/share/SquirrelTemp/tempa/lib/net45/[filename censored].exe'

There's also a long stacktrace not included for the sake of brevity.

@paulcbetts

This comment has been minimized.

Show comment
Hide comment
@paulcbetts

paulcbetts Mar 6, 2016

Collaborator

It doesn't at the moment, wine doesn't correctly support code signing

Collaborator

paulcbetts commented Mar 6, 2016

It doesn't at the moment, wine doesn't correctly support code signing

@lukeapage lukeapage added the upstream label Mar 6, 2016

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross Apr 14, 2016

Contributor

Supposedly, according to the MDN article, wine supports code signing. Is the article out of date?

Contributor

feross commented Apr 14, 2016

Supposedly, according to the MDN article, wine supports code signing. Is the article out of date?

@kevinsawicki

This comment has been minimized.

Show comment
Hide comment
@kevinsawicki

kevinsawicki Apr 14, 2016

Contributor

I'm working on a fix for this currently to use https://sourceforge.net/projects/osslsigncode/ to sign windows assets from mac.

My plan is to add support for it here for installers and on electron-packager for .exe.

Contributor

kevinsawicki commented Apr 14, 2016

I'm working on a fix for this currently to use https://sourceforge.net/projects/osslsigncode/ to sign windows assets from mac.

My plan is to add support for it here for installers and on electron-packager for .exe.

@kevinsawicki

This comment has been minimized.

Show comment
Hide comment
@kevinsawicki

kevinsawicki Apr 14, 2016

Contributor

I tried to use signcode (instead of osslsigncode) originally from that mdn article but it does not appear to support sha256 signatures which Windows 10 requires I believe.

Contributor

kevinsawicki commented Apr 14, 2016

I tried to use signcode (instead of osslsigncode) originally from that mdn article but it does not appear to support sha256 signatures which Windows 10 requires I believe.

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross Apr 14, 2016

Contributor

@kevinsawicki Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?

Contributor

feross commented Apr 14, 2016

@kevinsawicki Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross Apr 14, 2016

Contributor

Also, thanks for working on this!

Contributor

feross commented Apr 14, 2016

Also, thanks for working on this!

@kevinsawicki

This comment has been minimized.

Show comment
Hide comment
@kevinsawicki

kevinsawicki Apr 14, 2016

Contributor

Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?

signcode only supports sha1 or md5 I believe.

Usage: signcode [options] filename

    -spc spc    Software Publisher Certificate file
    -v pvk      Private Key file
    -a md5 | sha1   Hash Algorithm (default: MD5)
    -$ indivisual | commercial  Signature type

https://github.com/mono/mono/blob/5e80f625b93706328c9a22b1cbb73300f2ea2186/mcs/tools/security/signcode.cs#L38

Contributor

kevinsawicki commented Apr 14, 2016

Do you mean the example just shows sha1, or the signcode tool actaully doesn't support sha256?

signcode only supports sha1 or md5 I believe.

Usage: signcode [options] filename

    -spc spc    Software Publisher Certificate file
    -v pvk      Private Key file
    -a md5 | sha1   Hash Algorithm (default: MD5)
    -$ indivisual | commercial  Signature type

https://github.com/mono/mono/blob/5e80f625b93706328c9a22b1cbb73300f2ea2186/mcs/tools/security/signcode.cs#L38

@kevinsawicki

This comment has been minimized.

Show comment
Hide comment
@kevinsawicki

kevinsawicki Apr 14, 2016

Contributor

Atom switched to dual signing via native signtool awhile ago with sha1 and sha256 signatures and I couldn't get that working with signcode.

Contributor

kevinsawicki commented Apr 14, 2016

Atom switched to dual signing via native signtool awhile ago with sha1 and sha256 signatures and I couldn't get that working with signcode.

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross Apr 16, 2016

Contributor

electron-builder discussion here: electron-userland/electron-builder#314

Contributor

feross commented Apr 16, 2016

electron-builder discussion here: electron-userland/electron-builder#314

@feross feross referenced this issue in electron-userland/electron-builder Apr 16, 2016

Closed

Windows code signing from OS X #314

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross Apr 19, 2016

Contributor

@kevinsawicki just published kevinsawicki/signcode which I think should be used in windows-installer when building from OS X.

Contributor

feross commented Apr 19, 2016

@kevinsawicki just published kevinsawicki/signcode which I think should be used in windows-installer when building from OS X.

@mermaid

This comment has been minimized.

Show comment
Hide comment
@mermaid

mermaid Apr 19, 2016

I'm currently trying to do the signing myself using osslsigncode or signcode to sign on my mac for the time being. But I'm curious as to what all files I have to sign? Do I sign all the Squirrel .exe's and my built .exe, then build it and sign the installer?

mermaid commented Apr 19, 2016

I'm currently trying to do the signing myself using osslsigncode or signcode to sign on my mac for the time being. But I'm curious as to what all files I have to sign? Do I sign all the Squirrel .exe's and my built .exe, then build it and sign the installer?

@develar

This comment has been minimized.

Show comment
Hide comment
@develar

develar Apr 19, 2016

Contributor

I have started work to use https://github.com/kevinsawicki/signcode in the electron-builder (PR will be in this package, of course).

Contributor

develar commented Apr 19, 2016

I have started work to use https://github.com/kevinsawicki/signcode in the electron-builder (PR will be in this package, of course).

@develar

This comment has been minimized.

Show comment
Hide comment
@develar

develar Apr 20, 2016

Contributor

@mermaid Don't reinvent the wheel. Just use electron-builder — electron-userland/electron-builder#314 (comment)

Fixed in my fork/electron-builder — PR will be this/next week.

Contributor

develar commented Apr 20, 2016

@mermaid Don't reinvent the wheel. Just use electron-builder — electron-userland/electron-builder#314 (comment)

Fixed in my fork/electron-builder — PR will be this/next week.

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross Apr 20, 2016

Contributor

@develar It's a good question though. I'm wondering if all the .exe files need to be signed, or not?

Contributor

feross commented Apr 20, 2016

@develar It's a good question though. I'm wondering if all the .exe files need to be signed, or not?

@develar

This comment has been minimized.

Show comment
Hide comment
@develar

develar Apr 20, 2016

Contributor

@feross Answered in linked comment — "electron-builder uses signcode to sign app exe regardless of Squirrel.Windows" Yes, you should sign app exe as well. Maybe no one force you to do it, but you should.

Contributor

develar commented Apr 20, 2016

@feross Answered in linked comment — "electron-builder uses signcode to sign app exe regardless of Squirrel.Windows" Yes, you should sign app exe as well. Maybe no one force you to do it, but you should.

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross Apr 20, 2016

Contributor

@develar Shouldn't the .dlls also be signed?

Contributor

feross commented Apr 20, 2016

@develar Shouldn't the .dlls also be signed?

@develar

This comment has been minimized.

Show comment
Hide comment
Contributor

develar commented Apr 20, 2016

@paulcbetts

This comment has been minimized.

Show comment
Hide comment
@paulcbetts

paulcbetts Apr 20, 2016

Collaborator

@feross You can but it doesn't really make a difference to AV. You should sign your executables, including Squirrel.exe which is hard to do by signing yourself, which is why Squirrel has it built-in as part of its packager.

Collaborator

paulcbetts commented Apr 20, 2016

@feross You can but it doesn't really make a difference to AV. You should sign your executables, including Squirrel.exe which is hard to do by signing yourself, which is why Squirrel has it built-in as part of its packager.

@develar

This comment has been minimized.

Show comment
Hide comment
@develar

develar May 11, 2016

Contributor

electron-builder since 3.20 (will be released soon) will correctly sign your app — dual code sign (sha1+sha256) + timestamp (by default windows-installer on Windows sign using sha1 without timestamp).

Sorry, I am not going to prepare PR since intermediate #77 is rejected and I don't want to waste my time and resolve merge conflicts. Anyway solution mostly implemented as part of signcode npm module (PR will be if kevinsawicki/signcode#4)

Contributor

develar commented May 11, 2016

electron-builder since 3.20 (will be released soon) will correctly sign your app — dual code sign (sha1+sha256) + timestamp (by default windows-installer on Windows sign using sha1 without timestamp).

Sorry, I am not going to prepare PR since intermediate #77 is rejected and I don't want to waste my time and resolve merge conflicts. Anyway solution mostly implemented as part of signcode npm module (PR will be if kevinsawicki/signcode#4)

@feross

This comment has been minimized.

Show comment
Hide comment
@feross

feross May 17, 2016

Contributor

@kevinsawicki We still want to use your signcode package when we're on non-Windows platforms, right?

@develar Is your PR #77 required for signcode integration? Seems like an unrelated issue, no?

Contributor

feross commented May 17, 2016

@kevinsawicki We still want to use your signcode package when we're on non-Windows platforms, right?

@develar Is your PR #77 required for signcode integration? Seems like an unrelated issue, no?

@kevinsawicki

This comment has been minimized.

Show comment
Hide comment
@kevinsawicki

kevinsawicki May 17, 2016

Contributor

We still want to use your signcode package when we're on non-Windows platforms, right?

Yup, currently it only works on Mac, but Linux support should be straightforward, just haven't added it yet.

Contributor

kevinsawicki commented May 17, 2016

We still want to use your signcode package when we're on non-Windows platforms, right?

Yup, currently it only works on Mac, but Linux support should be straightforward, just haven't added it yet.

@dustinblackman dustinblackman referenced this issue in Squirrel/Squirrel.Windows Dec 9, 2016

Open

Add Mono's signcode for non-Windows builds #505

@dustinblackman

This comment has been minimized.

Show comment
Hide comment
@dustinblackman

dustinblackman Dec 11, 2016

For all the Googlers ending up in this issue looking for a solution, I've built a dirty workaround that gets the job done. https://github.com/dustinblackman/mono-signtool

dustinblackman commented Dec 11, 2016

For all the Googlers ending up in this issue looking for a solution, I've built a dirty workaround that gets the job done. https://github.com/dustinblackman/mono-signtool

@kevingelion

This comment has been minimized.

Show comment
Hide comment
@kevingelion

kevingelion Feb 23, 2017

Just landed here trying to sign my Windows electron application that's being built on my macOS dev machine. @dustinblackman's workaround seems to sidestep the problem but I'm curious if anything was merged into either this repo or electron-builder to support signing Windows builds on macOS.

Just landed here trying to sign my Windows electron application that's being built on my macOS dev machine. @dustinblackman's workaround seems to sidestep the problem but I'm curious if anything was merged into either this repo or electron-builder to support signing Windows builds on macOS.

@develar

This comment has been minimized.

Show comment
Hide comment
@develar

develar Feb 23, 2017

Contributor

electron-builder supports codesign on all platforms, including Linux. The only limitation — EV certificate on smartcards not supported.

Contributor

develar commented Feb 23, 2017

electron-builder supports codesign on all platforms, including Linux. The only limitation — EV certificate on smartcards not supported.

@mavrick

This comment has been minimized.

Show comment
Hide comment
@mavrick

mavrick Mar 28, 2017

cheeky bump

mavrick commented Mar 28, 2017

cheeky bump

@mavrick

This comment has been minimized.

Show comment
Hide comment
@mavrick

mavrick May 30, 2017

So, I managed to get around this on Ubuntu 16.04 with a manual sign step using osslsigncode

I'm only signing the .exe and not the contents.

mavrick commented May 30, 2017

So, I managed to get around this on Ubuntu 16.04 with a manual sign step using osslsigncode

I'm only signing the .exe and not the contents.

@alexstrat

This comment has been minimized.

Show comment
Hide comment
@alexstrat

alexstrat Jun 15, 2017

Looking at the thread, it looks like we can drop https://github.com/kevinsawicki/signcode here to support windows code-signing from non-windows from a Mac. Is that correct? Is there any known blocker for that?

(Or use electron-builder indeed)

Looking at the thread, it looks like we can drop https://github.com/kevinsawicki/signcode here to support windows code-signing from non-windows from a Mac. Is that correct? Is there any known blocker for that?

(Or use electron-builder indeed)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment