code-signinginstall4jhardware-security-modulesafenetnotarization

install4j: Automating Windows Extended Validation Code Signing and Apple Notarization on the same machine?


We are considering to switch to an extended validation (EV) code signing certificate.

In order to fully automate the notarization with Apple, we had to switch our build machine to a Mac mini.

Reading up on the EV code signing process, and how to automate it, two questions arose:

Can the password entry for the hardware token (HSM) be automated?

The comment from Ingo Kegel on this SO question seems to indicate that you can pass the HSM password via --win-keystore-password=<password> command line option.

Is that correct?

Can a multi-platform build still happen on a single machine (the Mac mini)?

The install4j help mentions 'different platforms':

On Windows, such a hardware token can be usually accessed through the Windows keystore. On a different platform, you have to choose the "Hardware security module PKCS #11 library" option and configure a native library that provides access to the keystore in the HSM through the PKCS #11 API.

Are there PKCS #11 libraries for MacOS? The library selection dialog asks for a DLL...


Solution

  • The comment from Ingo Kegel on this SO question seems to indicate that you can pass the HSM password via --win-keystore-password= command line option.

    Yes, that is correct. This option is available on non-Windows platforms as well for code signing of Windows executables.

    Can a multi-platform build still happen on a single machine (the Mac mini)?

    Yes, a multi-platform build that involves notarization can only be performed on macOS, because Apple does not allow notarization requests except from macOS.

    Are there PKCS #11 libraries for MacOS? The library selection dialog asks for a DLL...

    You need a library for your HSM, this will be a .so file on Linux or a *.dylib file on macOS. I have created an issue for the file chooser to show the correct file filter based on the current platform.

    Whether such a library is available for macOS depends on the HSM. These libraries are loaded by the Java Cryptography Api (JCA) and install4j has no Windows-specific code in this respect.