@getvast/azure-sign-tool-electron-forge-plugin
v0.1.1
Published
This is an Electron Forge plugin designed to automatically sign files with an HSM certificate from Azure Key Vault (with AzureCodeSign), in the build process.
Downloads
159
Readme
azure-sign-tool-electron-forge-plugin
I wanted to sign the Windows app that we’re building (www.recordonce.com) with an EV certificate in a Github Actions build pipeline.
This article provided 99% of the solution. But as Electron Forge does not use AzureCodeSign which is necessary to work with HSM and Azure Key Vault, I adapted another plugin (@burzo/electron-forge-ssl-code-sign-plugin) to hopefully fix that.
The code is inspired by @burzo/electron-forge-ssl-code-sign-plugin, and originally heavily borrowed from that project.
Prerequisites
This plugin works with electron-forge version >=7.
Additionally, you need to install the AzureSignTool.
This plugin only supports building on Windows-based machines. That’s because both Squirrel and AzureSignTool only work on Windows.
Installation
npm i --save-dev azure-sign-tool-electron-forge-plugin
or
yarn add --dev azure-sign-tool-electron-forge-plugin
Configuration
The plugin accepts the configuration variables that are used by this guide on how to sign code with an EV certificate. The variables correspond to AzureCodeSign’s paramaters.
Make sure you make with Squirrel:
forge.config.ts:
import { MakerSquirrel } from "@electron-forge/maker-squirrel";
...,
makers: [
new MakerSquirrel((arch) => ({
Include the plugin in your Forge config as follows:
forge.config.ts:
import { ElectronForgeAzureSignToolPlugin } from "azure-sign-tool-electron-forge-plugin";
const config: ForgeConfig = {
...,
plugins: [
// Make sure you
new ElectronForgeAzureSignToolPlugin({
azureKeyVaultUri: process.env.AZURE_KEY_VAULT_URI || "",
azureClientId: process.env.AZURE_CLIENT_ID || "",
azureTenantId: process.env.AZURE_TENANT_ID || "",
azureClientSecret: process.env.AZURE_CLIENT_SECRET || "",
azureCertificateName: process.env.AZURE_CERTIFICATE_NAME || "",
}),
],
...,
Your Github Actions workflow should look something like this:
# taken from https://github.com/electron/fiddle/blob/main/.github/workflows/build.yaml
name: Build & Release
on:
push:
branches:
- master
tags:
- v*
pull_request:
env:
NPM_REGISTRY: npm.pkg.github.com
jobs:
build:
if: startsWith(github.ref, 'refs/tags/')
name: Build (${{ matrix.os }} - ${{ matrix.arch }})
runs-on: ${{ matrix.os }}
strategy:
matrix:
# Build for supported platforms
# https://github.com/electron/electron-packager/blob/ebcbd439ff3e0f6f92fa880ff28a8670a9bcf2ab/src/targets.js#L9
# 32-bit Linux unsupported as of 2019: https://www.electronjs.org/blog/linux-32bit-support
os: [macos-latest, ubuntu-latest, windows-latest]
arch: [x64]
include:
- os: macos-latest
arch: universal
- os: macos-latest
arch: arm64
- os: windows-latest
arch: ia32
steps:
[…]
- name: Install AzureSignTool on Windows
if: matrix.os == 'windows-latest'
shell: bash
run: dotnet tool install --global AzureSignTool
- name: Make & Publish
if: startsWith(github.ref, 'refs/tags/')
run: yarn electron-forge publish --arch=${{ matrix.arch }}
env:
AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CERTIFICATE_NAME: ${{ secrets.AZURE_CERTIFICATE_NAME }}
Contribution
Feel free to submit a PR :)