azure-sign-tool-electron-forge-plugin

I wanted to sign the Windows app that we’re building (www.recordonce.com) with an EV certificate in a Github Actions build pipeline.

This article provided 99% of the solution. But as Electron Forge does not use AzureCodeSign which is necessary to work with HSM and Azure Key Vault, I adapted another plugin (@burzo/electron-forge-ssl-code-sign-plugin) to hopefully fix that.

The code is inspired by @burzo/electron-forge-ssl-code-sign-plugin, and originally heavily borrowed from that project.

Prerequisites

This plugin works with electron-forge version >=7.

Additionally, you need to install the AzureSignTool.

This plugin only supports building on Windows-based machines. That’s because both Squirrel and AzureSignTool only work on Windows.

Installation

npm i --save-dev azure-sign-tool-electron-forge-plugin

or

yarn add --dev azure-sign-tool-electron-forge-plugin

Configuration

The plugin accepts the configuration variables that are used by this guide on how to sign code with an EV certificate. The variables correspond to AzureCodeSign’s paramaters.

Make sure you make with Squirrel:

forge.config.ts:

import { MakerSquirrel } from "@electron-forge/maker-squirrel";

  ...,
  makers: [
    new MakerSquirrel((arch) => ({

Include the plugin in your Forge config as follows:

forge.config.ts:

import { ElectronForgeAzureSignToolPlugin } from "azure-sign-tool-electron-forge-plugin";

const config: ForgeConfig = {
  ...,
  plugins: [
    // Make sure you
    new ElectronForgeAzureSignToolPlugin({
      azureKeyVaultUri: process.env.AZURE_KEY_VAULT_URI || "",
      azureClientId: process.env.AZURE_CLIENT_ID || "",
      azureTenantId: process.env.AZURE_TENANT_ID || "",
      azureClientSecret: process.env.AZURE_CLIENT_SECRET || "",
      azureCertificateName: process.env.AZURE_CERTIFICATE_NAME || "",
    }),
  ],
  ...,

Your Github Actions workflow should look something like this:

# taken from https://github.com/electron/fiddle/blob/main/.github/workflows/build.yaml
name: Build & Release

on:
  push:
    branches:
      - master
    tags:
      - v*
  pull_request:

env:
  NPM_REGISTRY: npm.pkg.github.com

jobs:
  build:
    if: startsWith(github.ref, 'refs/tags/')
    name: Build (${{ matrix.os }} - ${{ matrix.arch }})
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        # Build for supported platforms
        # https://github.com/electron/electron-packager/blob/ebcbd439ff3e0f6f92fa880ff28a8670a9bcf2ab/src/targets.js#L9
        # 32-bit Linux unsupported as of 2019: https://www.electronjs.org/blog/linux-32bit-support
        os: [macos-latest, ubuntu-latest, windows-latest]
        arch: [x64]
        include:
          - os: macos-latest
            arch: universal
          - os: macos-latest
            arch: arm64
          - os: windows-latest
            arch: ia32

    steps:
      […]

      - name: Install AzureSignTool on Windows
        if: matrix.os == 'windows-latest'
        shell: bash
        run: dotnet tool install --global AzureSignTool

      - name: Make & Publish
        if: startsWith(github.ref, 'refs/tags/')
        run: yarn electron-forge publish --arch=${{ matrix.arch }}
        env:
          AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_CERTIFICATE_NAME: ${{ secrets.AZURE_CERTIFICATE_NAME }}

Contribution

Feel free to submit a PR :)