We are considering to switch to an extended validation (EV) code signing certificate.
In order to fully automate the notarization with Apple, we had to switch our build machine to a Mac mini.
Reading up on the EV code signing process, and how to automate it, two questions arose:
The comment from Ingo Kegel on this SO question seems to indicate that you can pass the HSM password via --win-keystore-password=<password> command line option.
Is that correct?
The install4j help mentions 'different platforms':
On Windows, such a hardware token can be usually accessed through the Windows keystore. On a different platform, you have to choose the "Hardware security module PKCS #11 library" option and configure a native library that provides access to the keystore in the HSM through the PKCS #11 API.
Are there PKCS #11 libraries for MacOS? The library selection dialog asks for a DLL...
The comment from Ingo Kegel on this SO question seems to indicate that you can pass the HSM password via --win-keystore-password= command line option.
Yes, that is correct. This option is available on non-Windows platforms as well for code signing of Windows executables.
Can a multi-platform build still happen on a single machine (the Mac mini)?
Yes, a multi-platform build that involves notarization can only be performed on macOS, because Apple does not allow notarization requests except from macOS.
Are there PKCS #11 libraries for MacOS? The library selection dialog asks for a DLL...
You need a library for your HSM, this will be a .so file on Linux or a *.dylib file on macOS. I have created an issue for the file chooser to show the correct file filter based on the current platform.
Whether such a library is available for macOS depends on the HSM. These libraries are loaded by the Java Cryptography Api (JCA) and install4j has no Windows-specific code in this respect.