Code Signing

Extended Validation (EV) Code Signing Certificate

MacOS

TIPS:

• xattr -l /Applications/Thorium.app + xattr -dr com.apple.quarantine /Applications/Thorium.app

• syspolicy_check distribution release/mac/Thorium.app

• spctl -a -vvv -t open --context context:primary-signature release/Thorium-2.4.0.dmg

• spctl -a -vvv -t install release/Thorium-2.4.0.dmg

• codesign -dv --verbose=4 release/Thorium-2.4.0.dmg

• codesign -dv --verbose=4 release/mac/Thorium.app

• https://developer.apple.com/account/resources/certificates/list

• Shell ENV for Electron Builder (npm run package:mac): CSC_IDENTITY_AUTO_DISCOVERY (false), APPLEIDTEAM (327YA3JNGT), CSC_NAME (European Digital Reading Lab (327YA3JNGT)), APPLEID (developer email), APPLEIDPASS (Apple-generated ad-hoc password, or @keychain:xxx)

• Notarization https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/scripts/notarize.js#L1-L18 and https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/package.json#L107-L123 and https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/package.json#L59

CI automation https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/

Windows

• Electron Builder (npm run package:win) will not sign the generated Thorium.exe ( CSC_IDENTITY_AUTO_DISCOVERY is false), signtool.exe must be invoked separately as an additional manual build step https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/package.json#L53-L54
• https://secure.ssl.com/user_session/new
• Hardware Token (USB-A) contains private key https://www.yubico.com/products/yubikey-fips/
• USB token must be unlocked using PIN https://www.ssl.com/how-to/access-your-yubikey-fips-pin-and-puk/
• Software app to manage certificates etc. (optional): https://www.ssl.com/ssl-manager/
• signtool.exe instructions: https://www.ssl.com/how-to/using-your-code-signing-certificate/
• C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe
• Note that this procedure has been tested on a Windows 10 Pro VirtualBox Virtual Machine. The USB device is initially acquired by the host MacOS, so it is initially “busy” and cannot be used from the VM guest WindowsOS. Solution: add a USB “filter” in VirtualBox (easy via the USB menu).
• "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd sha256 /tr http://ts.ssl.com /td sha256 /a /n "European Digital Reading Lab" "C:\Users\ME\PATH\TO\Thorium.Setup.1.7.3.exe" => Done Adding Additional Store - Successfully signed
• GlobalSign example: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /sha1 "xxx" "C:\Users\danie\Downloads\Thorium.Setup.1.7.3.exe" OR "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /a /n "US FUND FOR DAISY" "C:\Users\danie\Downloads\Thorium.Setup.1.7.3.exe"
• VERIFY: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" verify /v /pa "C:\Users\danie\Downloads\Thorium.Setup.1.7.3.exe"

Linux

• N/A