Skip to content

netless-io/sign-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
lib
lib
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
example-sign.js
example-sign.js
 
 
index.html
index.html
 
 
package.json
package.json
 
 
server.js
server.js
 
 

Repository files navigation

SIGN SERVER

SignTool.exe as a server.
This tool is intended to be run locally (intranet), use with caution.

1. Prepare the Windows Machine

1. Install the hardware token driver, me using SafeNet;
   Note: Remember to turn on "enable single logon" in driver client settings.
2. Install the certificate correctly, me using DigiCertHardwareCertificateInstaller;
   Note: Remember to also install the certificate into your PC.
3. Check if you've done right by running script below in PowerShell:

   gci -Recurse Cert: -CodeSigningCert

   If you see the certificate name installed from 1 and 2, then you're done.
   Otherwise, make sure you have the hardware token connected and try again.

4. Install Node.js >= 18;
5. Install SignTool.exe from Windows SDK Installer.

Note: You cannot complete some steps above through a Windows Remote Desktop client.

2. Run Me!

git clone https://github.com/netless-io/sign-server
cd sign-server
npm start
------
serving http://{local-ip}:3000

Remember the {local-ip} output above, you will use it in the sign.js.
See next section.

If you see errors when running 'npm start', see the errors table below.

Errors & Solution

Not found SignTool.exe
Go edit package.json/config.signtool.
Not found certificate
Make sure you have successfully completed the first section and your hardware token is currently connected.
Found multiple certificates
Go edit package.json/config.subject.

Bonus: Web UI

You can access the built-in web UI through the address (http://{local-ip}:3000) printed above. It includes a simple example of uploading a file and sign it. You can test the code signing there before hitting the next section.

3. Compose a sign.js for Electron Builder

See the doc about using custom signing.

See the example sign.js, remember to replace the {local-ip} with the real IP address.

Note: You need at least Node.js 18 to run the electron builder because this script uses the native fetch() API to upload files to the server. If you don't have one, you can import {fetch, FormData} from "undici".

SignTool.exe Cheat Sheet

signtool sign
  /debug /td sha256 /tr http://timestamp.digicert.com /as
  /fd {hash} /sha1 {thumbprint} /s {store} /sm
  {file.exe}

References

License

The MIT license.

About

SignTool.exe as a server.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages