diff --git a/src/server_manager/electron_app/windows/sign_windows_executable.mjs b/src/server_manager/electron_app/windows/sign_windows_executable.mjs index a3d04cb6d..fc34724fd 100644 --- a/src/server_manager/electron_app/windows/sign_windows_executable.mjs +++ b/src/server_manager/electron_app/windows/sign_windows_executable.mjs @@ -98,6 +98,20 @@ function appendDigicertUsbJsignArgs(args, options) { args.push('--keystore', eTokenCfg); } +function appendGcpHsmJsignArgs(args, options) { + // Google Cloud Key Management HSM based certificate + args.push('--storetype', 'GOOGLECLOUD'); + + const keyRing = getOptionValue(options, 'gcp-keyring', 'WINDOWS_SIGNING_GCP_KEYRING', true); + args.push('--keystore', keyRing); + + const keyName = getOptionValue(options, 'gcp-private-key', 'WINDOWS_SIGNING_GCP_PRIVATE_KEY', true); + args.push('--alias', keyName); + + const certFile = getOptionValue(options, 'gcp-public-cert', 'WINDOWS_SIGNING_GCP_PUBLIC_CERT', true); + args.push('--certfile', certFile); +} + /** * Run jsign.jar according to the corresponding options targeting fileToSign. * @param {string} fileToSign The path string of a file to be signed. @@ -112,7 +126,7 @@ function jsign(fileToSign, options) { throw new Error('fileToSign is required by jsign'); } - const jSignJarPath = resolve(outlineDirname(), 'third_party', 'jsign', 'jsign-4.0.jar'); + const jSignJarPath = resolve(outlineDirname(), 'third_party', 'jsign', 'jsign-4.2.jar'); const jsignProc = spawn('java', ['-jar', jSignJarPath, ...options, fileToSign], { stdio: 'inherit', }); @@ -161,6 +175,9 @@ export async function signWindowsExecutable(exeFile, algorithm, options) { case 'digicert-usb': appendDigicertUsbJsignArgs(jsignArgs, options); break; + case 'gcp-hsm': + appendGcpHsmJsignArgs(jsignArgs, options); + break; default: throw new Error(`cert type ${type} is not supported`); } @@ -190,18 +207,25 @@ async function main() { // node sign_windows_executable.mjs // --target // --algorithm -// --certtype -// --password +// --certtype +// --password // The following options are for --certtype == pfx // --pfx // The following options are for --certtype == digicert-usb // [--subject ] +// The following options are for --certtype == gcp-hsm +// --gcp-keyring +// --gcp-private-key +// --gcp-public-cert // // You can also use environment variables to specify some arguments: // WINDOWS_SIGNING_CERT_TYPE <=> --certtype // WINDOWS_SIGNING_CERT_PASSWORD <=> --password // WINDOWS_SIGNING_PFX_CERT <=> --pfx // WINDOWS_SIGNING_EV_CERT_SUBJECT <=> --subject +// WINDOWS_SIGNING_GCP_KEYRING <=> --gcp-keyring +// WINDOWS_SIGNING_GCP_PRIVATE_KEY <=> --gcp-private-key +// WINDOWS_SIGNING_GCP_PUBLIC_CERT <=> --gcp-public-cert if (import.meta.url === pathToFileURL(process.argv[1]).href) { try { await main(); diff --git a/third_party/jsign/METADATA b/third_party/jsign/METADATA index 8208b0009..7224c5035 100644 --- a/third_party/jsign/METADATA +++ b/third_party/jsign/METADATA @@ -12,6 +12,6 @@ third_party { type: GIT value: "https://github.com/ebourg/jsign" } - version: "4.0" - last_upgrade_date { year: 2022 month: 5 day: 27 } + version: "4.2" + last_upgrade_date { year: 2022 month: 9 day: 28 } } diff --git a/third_party/jsign/jsign-4.0.jar b/third_party/jsign/jsign-4.0.jar deleted file mode 100644 index f31f7107e..000000000 Binary files a/third_party/jsign/jsign-4.0.jar and /dev/null differ diff --git a/third_party/jsign/jsign-4.2.jar b/third_party/jsign/jsign-4.2.jar new file mode 100644 index 000000000..346f75498 Binary files /dev/null and b/third_party/jsign/jsign-4.2.jar differ