How to export Sectigo Code Signing Certificate to PFX for Electron Forge's Windows Code Signing?
I am building an Electron Forge app. I believe if I sign my app as my llc I will avoid the "Unknown Developer" popups users get when they run my exe. I'm doing this because the error is a scary UX.
I am trying to get a pfx file out of Sectigo usb to enable signing my app with a github action. I understand a usb wasn't always required.
Here are the steps I expect to follow based on Electron Forge's documentation:
- Buy a Code Signing Certificate from Sectigo and go through their validation steps. I believe i bought the non-EV version.
- Plug in the usb containing a signing certificate
- Grab the password they sent in the email
- Do something to get a pfx file
- Update forge.config.js with:
{
name: '@electron-forge/maker-squirrel',
config: {
certificateFile: './cert.pfx', <- I need this pfx file
certificatePassword: process.env.CERTIFICATE_PASSWORD // <- This is the email password I asusme
}
}
What I tried to get a pfx file
Here are some of the ways I've tried to get the PFX. Sectigo's Knowledge Base is incredibly difficult to navigate and understand. I don't see one example of my pfx use case. Searching pfx only brings up an article that assumes you already have one.
Using SafeNet
- Download and open SafeNet Authentication client, the app Sectigo suggests you use
- Note the hierarchy
Tokens -> My Company LLC -> User Certificates -> My Company LLC - Log into the outer
My Company LLCtoken using the emailed password - Right click the inner
My Company LLCtoken, export - Note that the only filetype option is
.cerwhen a.pfxis what is needed
Using certmgr
- Run
certmgr.msc(note that searching cert manager with windows brings up the same app, but with different certs, I dont know why) - See
My Company LLCin the list, issued bySectigo Public Code Signing CA R36 - Right click it, All Tasks, Export, Next
- Note that the option
Yes, export the private keyis blurred out. - See
Note: The associated private key is marked as not exportable. Only the certificate can be exported.
Signing it by hand
- Run
certmgr.msc - Double click
My Company LLC, Details , scroll down through the fields - Copy the value of the
Thumbprintfield - Add signtool to path
- Run make to get an electron forge exe
- In an administrator bash, run
signtool sign /sha1 THUMBPRINT_OF_CERTIFICATE /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /ksp "SafeNet Key Storage Provider" "path\to\program.exe"
This gives me
SignTool Error: Multiple certificates were found that meet all the given
criteria. Use the /a option to allow SignTool to choose the best
certificate automatically or use the /sha1 option with the hash of the
desired certificate.
The following certificates meet all given criteria:
Issued to: 12a07552-4d30-4fca-846c-a8be84912193
Issued by: 12a07552-4d30-4fca-846c-a8be84912193
Expires: Sat Mar 29 01:32:52 2025
SHA1 hash: HASH_ONE
Issued to: 2f31b0a3-ea27-4cd2-9667-2b0d00c33f1d
Issued by: 2f31b0a3-ea27-4cd2-9667-2b0d00c33f1d
Expires: Tue Mar 25 20:44:51 2025
SHA1 hash: HASH_TWO
Issued to: MY COMPANY LLC
Issued by: Sectigo Public Code Signing CA R36
Expires: Thu May 22 18:59:59 2025
SHA1 hash: MY_CERTIFICATE_THUMBPRINT
Despite running the signing command with /a and /sha1, this error is all i get.
Physical Device Requirement
I sort of understand that Microsoft now requires a physical device to sign apps. Does that mean that it will be impossible to sign my app with CI? Not having to build my apps by hand saves me thousands of human errors.
Some Links I found
What my key looks like
I am trying to get a pfx file out of Sectigo usb to enable signing my app with a github action. I understand a usb wasn't always required.
This is not possible, you can't extract the private key from the USB token to a file based keystore. The new code signing keys delivered since June 1, 2023 must be stored on a hardware storage module.
Instead of creating a pfx file you have to set the signWithParams parameter in the squirrel configuration and specify the signtool parameters to use the USB token.
Something like this:
"makers": [
{
"name": "@electron-forge/maker-squirrel",
"config": {
"signWithParams": " /a /tr http://rfc3161timestamp.globalsign.com/advanced /fd SHA256 /td SHA256 /sha1 [thumbprint]"
}
}
],
- Write to Windows Application Event Log without event source registration
- BCrypt: Import ECDSA public key in compressed form
- Powershell error "value can not in the type System Management Automation LanguagePrimitives+InternalPSCustomObject converted"
- Windows shortcut (.lnk) parser in Java?
- Create a bat file to exit FFMPEG (Windows)
- Show Explorer's properties dialog for a file in Windows
- Running Kafka on Windows 10 fails: The system cannot find the path specified
- Why does module.__file__ return None?
- Python worker failed to connect back
- Switching between different JDK versions in Windows
- How to change JDK location in Android Studio?
- emacs windows compiler files permissions
- Batch file to compile a .cpp file on any PC
- ERROR: Error installing psych: ERROR: Failed to build gem native extension
- Why is INVALID_HANDLE_VALUE defined via double cast?
- JavaScript file not updating no matter what I do
- How to get File Created, Accessed and Modified dates the same as windows properties?
- Cursor disappearing inside text field
- Why is "kill" is not exiting a thread immediately?
- How to install graphviz-2.38 on windows 10
- Help me make my windows cmd.exe console work more like a Linux terminal
- How to generate an import library (LIB-file) from a DLL?
- Where is the C compiler located on disk for Visual C++ 2008 Express?
- cmd.exe /k switch
- Can OpenSSL on Windows use the system certificate store?
- How to install Docker Desktop on a different drive (location) on Windows
- How do I enable php to work with postgresql?
- Compiled c scripts only staying open for a fraction of a second
- Simplest C compiler & editor for Windows?
- Docker endpoint for "default" not found