How to sign windows app on CI? (from June 1, 2023)

[mahnunchik]

Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for standard code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection.

Could anybody help to figure out how to sign windows electron application on CI? Maybe there is option to export well known pfx certificate locally?

[rathboma]

Hi, I have to renew my cert for Beekeeper Studio and I'm seeing the same problem. Is it not possible to just download a private key anymore?

I feel like desktop apps are taking backwards steps.

Hoping someone can help here with a workaround!

[erickzhao]

Haven't tried this out myself, but major cloud services now provide CloudHSM and KMS services that you can integrate into your CI pipeline.

At a high level, you would want to get those set up in the CI environment and pass the correct parameters to signtool via the winstaller signWithParams parameter.

[rathboma]

Sure, but the Amazon HSM starts at $1000 per month minimum. ($1.45/hour)

[MarshallOfSound]

This only impacts EV certs, if you're the kind of organization that needs EV but doesn't have the resources to spin up an HSM then that's unfortunately the New Reality.

There are other cloudhsm~esque solutions (none of these are endorsements)

• CloudHSM
• Azure Code Signing
• DigiCert ONE
• Etc.

Some of which may be cheaper idk

[rathboma]

Now even OV certs require a HSM it seems? So it's hardware token or bust as far as I can tell?

[petervanderwalt]

Does Electron-builder allow the use of https://knowledge.digicert.com/solution/digicert-keylocker.html then?
I have Digicert EV certs, used to just provide the PFX and Password as secrets to Github actions and Electron-builder took care of it (very well and easy) but now I need a hardware token? (Can't plug USB into Githubs servers) so will need to use some other method.

[petervanderwalt]

https://docs.digicert.com/en/digicert-one/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html would that work with github actions and electron-builder? How would it tie in - used to do it as a step as part of electron-builder by specifying WIN_CSC https://github.com/OpenBuilds/OpenBuilds-CONTROL/blob/f3c9b79ecdea7bac5a151a3fbd776d5272162c6d/.github/workflows/build.yml#L40-L41

[petervanderwalt]

https://docs.digicert.com/en/digicert-one/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html looks like it should work - will test tomorrow or next week

[evoactivity]

@petervanderwalt Hi Peter, just wondering how your testing went? Are you able to share you actions workflow?

[petervanderwalt]

@petervanderwalt Hi Peter, just wondering how your testing went? Are you able to share you actions workflow?

Still haven't gotten it working, though in our case procurement of the Keylocker/HSM is the delay, business side of things

[cwiggins999]

I'm diving into this process now, so just wondered if any updates on use of the HSM? I'm using Electron-forge. Thanks!

[petervanderwalt]

I'm diving into this process now, so just wondered if any updates on use of the HSM? I'm using Electron-forge. Thanks!

I havent been able to circle back to this yet myself, but checkout OpenBuilds/OpenBuilds-CONTROL#321 (comment)

[casaout]

@petervanderwalt Any updates? I am in a similar situation... (small app, users cannot install app since Windows SmartScreen is blocking it)

[petervanderwalt]

@petervanderwalt Any updates? I am in a similar situation... (small app, users cannot install app since Windows SmartScreen is blocking it)

Finally got mine sorted.

Using digicert + keylocker to store the cert, and Github actions + electron builder to build and sign the app

OpenBuilds/OpenBuilds-CONTROL#321 (comment)