Support for configuring /td sha384 (timestamp digest algorithm) in Windows code signing

[chroberino]

Hi,

I would like to know if it's possible to configure electron-builder to include the /td sha384 argument when using signtool for Windows code signing. This is to specify the timestamp digest algorithm as SHA384.

Currently, I couldn't find a direct way to configure this in the build.win options. Is there an existing way to achieve this?

Thanks in advance for your help!

[mmaietta]

So I took a look at the code and it seems you could tap into the signtool flow "easily" with a custom signing script for win.sign (moved win.signtoolOptions.sign in the alpha version, soon-to-be GA under next tag)

Notes:

• This was written on the fly/copy-pasting from the codebase, so you might need to mess around with it with some debug logging to get it working for your setup. It's like half pseudocode and half just untested
• I wrote this in typescript to be more understandable, in case anyone else comes across this post and/or maybe I can implement support for typescript hooks, but for now you'll need to convert it to .js or .mjs depending on your project setup.
• I copied some code regarding isWin/useVm, so it's possible this sign script would work within a Parallels VM or docker container. YMMV (but please let me know the results if you do try it 😁) as there's some funky code internally around VM usage

custom-windows-sign.ts

import { CustomWindowsSignTaskConfiguration, WinPackager } from "app-builder-lib"
import { retry } from "builder-util"
import { VmManager } from "app-builder-lib/out/vm/vm"
import { WindowsSignToolManager } from "app-builder-lib/out/codeSign/windowsSignToolManager"

export default (configuration: CustomWindowsSignTaskConfiguration, packager: WinPackager) => {
	// electron-builder code
	const useVmIfNotOnWin = configuration.path.endsWith(".appx") || !("file" in configuration.cscInfo!)
	const isWin = process.platform === 'win32' || useVmIfNotOnWin
	const vm = await packager.vm.value 
	
	// your code
	const signToolArgs = configuration.computeSignToolArgs(isWin)
	const tdIndex = signToolArgs.indexOf("/td")
	if (tdIndex > -1) {
		signToolArgs[tdIndex + 1] = "sha384"
	}

	// signing code
	const manager = packager.signingManager as WindowsSignToolManager
	const toolInfo = await manager.getToolPath(isWin)

	await retry(
      () => vm.exec(toolInfo.path, signToolArgs, { timeout: 10000, env: toolInfo.env || process.env }), // adjust `timeout` and `env` as desired
      2, // retry count
      15000, // retry wait
      10000, // backoff delay
      0, // must be 0
      (e: any) => {
        if (
			e.message.includes("The file is being used by another process") ||
			e.message.includes("The specified timestamp server either could not be reached") ||
			e.message.includes("No certificates were found that met all the given criteria.")
        ) {
			log.warn(`Attempt to code sign failed, another attempt will be made in 15 seconds: ${e.message}`)
			return true
        }
        return false
      }
    )
}

[MikeJerred]

I have not tested, but it should be sufficient to specify timestampDigest in the config, e.g.:

win:
  azureSignOptions:
    timestampDigest: SHA384
    endpoint: ...