-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to sign windows app on CI? (from June 1, 2023) #473
Comments
Hi, I have to renew my cert for Beekeeper Studio and I'm seeing the same problem. Is it not possible to just download a private key anymore? I feel like desktop apps are taking backwards steps. Hoping someone can help here with a workaround! |
Haven't tried this out myself, but major cloud services now provide CloudHSM and KMS services that you can integrate into your CI pipeline. At a high level, you would want to get those set up in the CI environment and pass the correct parameters to |
Sure, but the Amazon HSM starts at $1000 per month minimum. ($1.45/hour) |
This only impacts EV certs, if you're the kind of organization that needs EV but doesn't have the resources to spin up an HSM then that's unfortunately the New Reality. There are other cloudhsm~esque solutions (none of these are endorsements)
Some of which may be cheaper idk |
Now even OV certs require a HSM it seems? So it's hardware token or bust as far as I can tell? |
Does Electron-builder allow the use of https://knowledge.digicert.com/solution/digicert-keylocker.html then? |
https://docs.digicert.com/en/digicert-one/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html would that work with github actions and electron-builder? How would it tie in - used to do it as a step as part of electron-builder by specifying WIN_CSC https://github.com/OpenBuilds/OpenBuilds-CONTROL/blob/f3c9b79ecdea7bac5a151a3fbd776d5272162c6d/.github/workflows/build.yml#L40-L41 |
https://docs.digicert.com/en/digicert-one/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html looks like it should work - will test tomorrow or next week |
@petervanderwalt Hi Peter, just wondering how your testing went? Are you able to share you actions workflow? |
Still haven't gotten it working, though in our case procurement of the Keylocker/HSM is the delay, business side of things |
I'm diving into this process now, so just wondered if any updates on use of the HSM? I'm using Electron-forge. Thanks! |
I havent been able to circle back to this yet myself, but checkout OpenBuilds/OpenBuilds-CONTROL#321 (comment) |
@petervanderwalt Any updates? I am in a similar situation... (small app, users cannot install app since Windows SmartScreen is blocking it) |
Finally got mine sorted. Using digicert + keylocker to store the cert, and Github actions + electron builder to build and sign the app |
Could anybody help to figure out how to sign windows electron application on CI? Maybe there is option to export well known
pfx
certificate locally?The text was updated successfully, but these errors were encountered: