Menu
I am building an Electron Forge app. I believe if I sign my app as my llc I will avoid the "Unknown Developer" popups users get when they run my exe. I'm doing this because the error is a scary UX.
I am trying to get a pfx file out of Sectigo usb to enable signing my app with a github action. I understand a usb wasn't always required.
Here are the steps I expect to follow based on Electron Forge's documentation:
{
name: '@electron-forge/maker-squirrel',
config: {
certificateFile: './cert.pfx', <- I need this pfx file
certificatePassword: process.env.CERTIFICATE_PASSWORD // <- This is the email password I asusme
}
}
Here are some of the ways I've tried to get the PFX. Sectigo's Knowledge Base is incredibly difficult to navigate and understand. I don't see one example of my pfx use case. Searching pfx only brings up an article that assumes you already have one.
Tokens -> My Company LLC -> User Certificates -> My Company LLCMy Company LLC token using the emailed passwordMy Company LLC token, export.cer when a .pfx is what is neededcertmgr.msc (note that searching cert manager with windows brings up the same app, but with different certs, I dont know why)My Company LLC in the list, issued by Sectigo Public Code Signing CA R36Yes, export the private key is blurred out.Note: The associated private key is marked as not exportable. Only the certificate can be exported.certmgr.mscMy Company LLC, Details , scroll down through the fieldsThumbprint fieldsigntool sign /sha1 THUMBPRINT_OF_CERTIFICATE /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /ksp "SafeNet Key Storage Provider" "path\to\program.exe"
This gives me
SignTool Error: Multiple certificates were found that meet all the given
criteria. Use the /a option to allow SignTool to choose the best
certificate automatically or use the /sha1 option with the hash of the
desired certificate.
The following certificates meet all given criteria:
Issued to: 12a07552-4d30-4fca-846c-a8be84912193
Issued by: 12a07552-4d30-4fca-846c-a8be84912193
Expires: Sat Mar 29 01:32:52 2025
SHA1 hash: HASH_ONE
Issued to: 2f31b0a3-ea27-4cd2-9667-2b0d00c33f1d
Issued by: 2f31b0a3-ea27-4cd2-9667-2b0d00c33f1d
Expires: Tue Mar 25 20:44:51 2025
SHA1 hash: HASH_TWO
Issued to: MY COMPANY LLC
Issued by: Sectigo Public Code Signing CA R36
Expires: Thu May 22 18:59:59 2025
SHA1 hash: MY_CERTIFICATE_THUMBPRINT
Despite running the signing command with /a and /sha1, this error is all i get.
I sort of understand that Microsoft now requires a physical device to sign apps. Does that mean that it will be impossible to sign my app with CI? Not having to build my apps by hand saves me thousands of human errors.
Sectigo How Tos Youtube Playlist
Impenetrable Microsoft Explanation of Digital Signatures
256
asked Dec 31 '25 06:12
I am trying to get a pfx file out of Sectigo usb to enable signing my app with a github action. I understand a usb wasn't always required.
This is not possible, you can't extract the private key from the USB token to a file based keystore. The new code signing keys delivered since June 1, 2023 must be stored on a hardware storage module.
Instead of creating a pfx file you have to set the signWithParams parameter in the squirrel configuration and specify the signtool parameters to use the USB token.
Something like this:
"makers": [
{
"name": "@electron-forge/maker-squirrel",
"config": {
"signWithParams": " /a /tr http://rfc3161timestamp.globalsign.com/advanced /fd SHA256 /td SHA256 /sha1 [thumbprint]"
}
}
],
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
