Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with code signing with an EV certificate on Windows #7729

Closed
stephanedupont opened this issue Aug 15, 2023 · 6 comments · Fixed by #8384
Closed

Issue with code signing with an EV certificate on Windows #7729

stephanedupont opened this issue Aug 15, 2023 · 6 comments · Fixed by #8384

Comments

@stephanedupont
Copy link

stephanedupont commented Aug 15, 2023
edited
Loading

I was using a code signing certificate until now, using CSC_LINK and CSC_KEY_PASSWORD as specified here and it was working fine.

I was not able to renew my certificate as they stopped issuing certificates without a hardware token due to new regulations (see here), so I ordered instead an EV code signing certificate that comes with a USB hardware token.

I installed the SafeNet driver, removed CSC_LINK and CSC_KEY_PASSWORD and added win.certificateSubjectName as mentioned in the documentation.

When executing the electron-builder build --win command, it now fails with the following output:

$ electron-builder build -c.extraMetadata.main=electron.js --win
  • electron-builder  version=24.6.3 os=10.0.22621
  • loaded configuration  file=package.json ("build" field)
  • writing effective config  file=dist\1.1.9\builder-effective-config.yaml
  • packaging       platform=win32 arch=x64 electron=22.3.12 appOutDir=dist\1.1.9\win\x64\win-unpacked
  ⨯ Exit code: 1. Command failed: powershell.exe -NoProfile -NonInteractive -Command Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint | ConvertTo-Json -Compress
Get-ChildItem : A parameter cannot be found that matches parameter name 'CodeSigningCert'.
At line:1 char:30
+ Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Proper ...
+                              ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand


Get-ChildItem : A parameter cannot be found that matches parameter name 'CodeSigningCert'.
At line:1 char:30
+ Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Proper ...
+                              ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

  failedTask=build stackTrace=Error: Exit code: 1. Command failed: powershell.exe -NoProfile -NonInteractive -Command Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint | ConvertTo-Json -Compress
Get-ChildItem : A parameter cannot be found that matches parameter name 'CodeSigningCert'.
At line:1 char:30
+ Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Proper ...
+                              ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand


Get-ChildItem : A parameter cannot be found that matches parameter name 'CodeSigningCert'.
At line:1 char:30
+ Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Proper ...
+                              ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand


    at XXXXXXXXXXXXXXXXXXX\electron\node_modules\builder-util\src\util.ts:133:18
    at ChildProcess.exithandler (node:child_process:420:5)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1091:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

If I try to manually execute the command mentioned directly in the PowerShell, by decomposing it step by step, I have the following results:

powershell.exe -NoProfile -NonInteractive -Command Get-ChildItem -Recurse Cert: -CodeSigningCert



   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
07XXXXXXXXXXXXXXXXXXXXXXXX5E  CN=XXXXXXX, O=XXXXXXX, S=Liège, C=BE, OID.2.5.4.15=Business Enti...

powershell.exe -NoProfile -NonInteractive -Command Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint

Subject PSParentPath Thumbprint
------- ------------ ----------

powershell.exe -NoProfile -NonInteractive -Command Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint | ConvertTo-Json -Compress

[{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null},{"Subject":null,"PSParentPath":null,"Thumbprint":null}]

So it seems that there is a problem with the code in windowsCodeSign.js, in the function getCertificateFromStoreInfo. Any idea of why and how to fix this?
@stephanedupont
Copy link
Author

Found the problem: there are two versions of Powershell on Windows: the one called "Windows Powershell" (powershell.exe), that is Powershell version 5.x and that is kept on all Windows systems for compatibility reasons, and the newer versions called "Powershell" (pwsh.exe), that is Powershell version 6.x, 7.x, ... The command called by electron-builder is "powershell.exe", and strangely enough doesn't work from the newer Powershell because of the ":" character. Launching the build/deploy script from Windows Power Shell (the 5.x version) fixed the problem.

@rasgo-cc rasgo-cc mentioned this issue Nov 10, 2023
Closed
@leohxj
Copy link

leohxj commented Dec 29, 2023

currently, I am using PowerShell v5 instead of v7.

@KaminoRyo
Copy link
Contributor

KaminoRyo commented Feb 7, 2024
edited
Loading

Me too. I lost several hours with this problem.😢
Some of the characters were garbled and it was difficult to even investigate the cause.

@stoefln
Copy link

stoefln commented Feb 15, 2024

Hi there! I got the same issue, but I don't understand how it can resolved. Not even after reading your comments.
I am running the script inside of a github workflow, does that mean I need to configure the workflow step so it's using powershell 5.x?

@stoefln stoefln mentioned this issue Feb 16, 2024
Closed
@stoefln
Copy link

stoefln commented Feb 16, 2024

@stephanedupont how do you use powershell v5?

@stephanedupont
Copy link
Author

Like I mentioned, use powershell.exe instead of pwsh.exe.

BlackHole1 added a commit to BlackHole1/electron-builder that referenced this issue Jul 29, 2024
@BlackHole1
fix(windows,code-sign): cannot sign binary files
c5b7822 
Fixed: electron-userland#7729 electron-userland#8055

Signed-off-by: Kevin Cui <[email protected]>
BlackHole1 added a commit to BlackHole1/electron-builder that referenced this issue Jul 29, 2024
@BlackHole1
fix(windows,code-sign): cannot sign binary files
5f9f791 
Fixed: electron-userland#7729 electron-userland#8055

Signed-off-by: Kevin Cui <[email protected]>
@BlackHole1 BlackHole1 mentioned this issue Jul 29, 2024
Merged
BlackHole1 added a commit to BlackHole1/electron-builder that referenced this issue Jul 29, 2024
@BlackHole1
fix(windows,code-sign): cannot sign binary files
32897b1 
Fixed: electron-userland#7729 electron-userland#8055

Signed-off-by: Kevin Cui <[email protected]>
BlackHole1 added a commit to BlackHole1/electron-builder that referenced this issue Jul 30, 2024
@BlackHole1
fix(windows,code-sign): cannot sign binary files in Github Actions
cd16794 
Fixed: electron-userland#7729 electron-userland#8055

Signed-off-by: Kevin Cui <[email protected]>
BlackHole1 added a commit to BlackHole1/electron-builder that referenced this issue Jul 31, 2024
@BlackHole1
fix(windows,code-sign): cannot sign binary files in Github Actions
7dda1fa 
Fixed: electron-userland#7729 electron-userland#8055

Signed-off-by: Kevin Cui <[email protected]>
mmaietta pushed a commit that referenced this issue Jul 31, 2024
@BlackHole1
fix(windows,code-sign): cannot sign binary files in Github Actions (#…
f8fbdd1 
…8384)

Fixed: #7729 #8055

Signed-off-by: Kevin Cui <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(windows,code-sign): cannot sign binary files in Github Actions BlackHole1/electron-builder
4 participants
@stoefln @leohxj @stephanedupont @KaminoRyo