Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

install4j: Automating Windows Extended Validation Code Signing and Apple Notarization on the same machine?

Tags:

code-signing

hardware-security-module

install4j

safenet

notarization

Update: starting with install4j 11, macOS notarization is cross-platform

We are considering to switch to an extended validation (EV) code signing certificate.

In order to fully automate the notarization with Apple, we had to switch our build machine to a Mac mini.

Reading up on the EV code signing process, and how to automate it, two questions arose:

Can the password entry for the hardware token (HSM) be automated?

The comment from Ingo Kegel on this SO question seems to indicate that you can pass the HSM password via --win-keystore-password=<password> command line option.

Is that correct?

Can a multi-platform build still happen on a single machine (the Mac mini)?

The install4j help mentions 'different platforms':

On Windows, such a hardware token can be usually accessed through the Windows keystore. On a different platform, you have to choose the "Hardware security module PKCS #11 library" option and configure a native library that provides access to the keystore in the HSM through the PKCS #11 API.

Are there PKCS #11 libraries for MacOS? The library selection dialog asks for a DLL...

like image 689
Reto Höhener Avatar asked Sep 15 '25 08:09

Reto Höhener

1 Answers

I can confirm that we managed to get this running (both Windows EV Code Signing and Apple Notarization automated on a Mac mini):

  • Bought Sectigo EV Code Signing Certificate
  • Attached the delivered SafeNet eToken 5110 (USB Dongle) to the Mac mini
  • Installed SafeNet Authentication Client (both on Mac mini and Windows for testing)
  • Exported the certificate from the token to look at the certficate chain
  • Exported the chain certificates from the Windows keystore (certmgr.msc)
  • Imported the chain certificates onto the token (apparently some issuers will do this for you and deliver a token that not only contains the signing certificate but also it's chain)
  • If the certificates cannot be added to the token, they can be provided to install4j in a directory via the compiler variable sys.ext.certDir
  • Configured install4j code signing to use the PKCS11 library provided with the SafeNet Authentication Client: /usr/local/lib/libeTPkcs11.dylib
  • For testing on Windows: C:/Windows/System32/eTPKCS11.dll
  • Finally: No SmartScreen Message anymore

cert-import

install4j-config

like image 90
Reto Höhener Avatar answered Sep 18 '25 08:09

Reto Höhener
Sign in to Comment

Related questions

OSX Notarize for executables (not an app)
SignTool: can't sign XLSM (DOCM)
GitHub Actions: productsign hangs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!