We had to change the way how we sign our media files and executables in install4j. Now we have to store our certificate for code signing on a secure device like a HSM. We are now using DigiCert ONE and their tool smctl.
Our build environment:
So I disabled the code signing for Windows media files and sign them in a seperate step afterwards, where I am also using the smctl tool and jsign as signing tool.
The problem I am currently facing is, that the included executables within the media files are not signed anymore. Because of the disabled code signing option in install4j. I decided to use the post processor to do this job and configured it in the Windows media file -> Media/windows-32/Executable processing There I enabled the option "Run command for each executable" and inserted the following command for signing:
/opt/codesigning/smtools-linux-x64/smctl sign --keypair-alias ${compiler:codeSigningKeypairAlias} --config-file ${compiler:codeSigningPkcs11Config} --input $OUTFILE --verbose
SMCTL uses the tool jsign as default for windows executables. But for some reason jsign isn't able to sign the files. Jsign always results in "Unsupported file". You can have a look on the log snippet:
signCommand command for file /tmp/install4j5073564965492722622_dir/set1/signed11460690974641472065.exe FAILED
Compiling launcher 'application-update-diagnosis':
using icon file ./icon.ico
Creating GUI mode application.
Running post-processor
Post-processor command is "/opt/codesigning/smtools-linux-x64/smctl" "sign" "--keypair-alias" "OUR_KEYPAIR_ALIAS" "--config-file" "/opt/codesigning/pkcs11properties.cfg" "--input" "/tmp/install4j5073564965492722622_dir/set1/signed4735947293422229253.exe" "--verbose"
Command : jsign -keystore "/opt/codesigning/pkcs11properties.cfg" -storepass NONE -storetype PKCS11 -alg SHA-256 -tsaurl http://timestamp.digicert.com -alias OUR_KEYPAIR_ALIAS "/tmp/install4j5073564965492722622_dir/set1/signed4735947293422229253.exe"
Error :
exit status 1: Picked up JAVA_TOOL_OPTIONS: -Dmaven.ext.class.path="/home/jenkins/workspace/IPL-17095_fix_unsigned_exe_files@tmp/withMavend45d2b78/pipeline-maven-spy.jar" -Dorg.jenkinsci.plugins.pipeline.maven.reportsFolder="/home/jenkins/workspace/IPL-17095_fix_unsigned_exe_files@tmp/withMavend45d2b78"
jsign: Unsupported file: /tmp/install4j5073564965492722622_dir/set1/signed4735947293422229253.exe
Try `jsign --help' for more information.
signCommand command for file /tmp/install4j5073564965492722622_dir/set1/signed4735947293422229253.exe FAILED
Greetings
$OUTFILE is the wrong variable, it is only applicable if your tool has different input and output files. The variable for the input file you would have to use is $EXECUTABLE.