mirror/cypress
1
0
Fork 0
mirror of https://github.com/cypress-io/cypress.git synced 2026-01-24 16:09:32 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
ab2004bbde1c6fb61ecb78097e7341dee3bd2f4f
cypress/guides/code-signing.md
Zach Bloomquist 0500997bad docs(guides): add more detail to code-signing (#25794) 
Co-authored-by: Emily Rohrbough <emilyrohrbough@users.noreply.github.com>
2023-02-14 20:44:07 +00:00

3.0 KiB
Raw Blame History

Code Signing

Code signing is done for the Windows and Mac distributions of Cypress when they are built in CI.

electron-builder handles code signing during the create-build-artifacts jobs. This guide assumes that the reader is already familiar with electron-builder's Code Signing documentation.

Rotating the Mac code signing key

  1. On a Mac, log in to Xcode using Cypress's Apple developer program identity.
  2. Follow Apple's Create, export, and delete signing certificates instructions:
    1. Follow "View signing certificates".
    2. Follow "Create a signing certificate", and choose the type of "Developer ID Application" when prompted.
    3. Follow "Export a signing certificate". Set a strong passphrase when prompted, which will later become CSC_KEY_PASSWORD.
  3. Upload the exported, encrypted .p12 file to the Code Signing folder in Google Drive and obtain a public direct download link.
  4. Within the test-runner:sign-mac-binary CircleCI context, set CSC_LINK to that direct download URL and set CSC_KEY_PASSWORD to the passphrase used to encrypt the p12 file.

Rotating the Windows code signing key

  1. Generate a certificate signing request (CSR) file using openssl. For example: 
    # generate a new private key
openssl genrsa -out win-code-signing.key 4096
# create a CSR using the private key
openssl req -new -key win-code-signing.key -out win-code-signing.csr
  2. Obtain a certificate by submitting the CSR to SSL.com using the Cypress SSL.com account.
    • If renewing, follow the renewal instructions.
    • If rotating, contact SSL.com's support to request certificate re-issuance.
  3. Obtain the full certificate chain from SSL.com's dashboard in ASCII-armored PEM format and save it as win-code-signing.crt. (-----BEGIN PRIVATE KEY-----, -----BEGIN CERTIFICATE-----)
  4. Using openssl, convert the plaintext PEM public and private key to binary PKCS#12/PFX format and encrypt it with a strong passphrase, which will later become CSC_KEY_PASSWORD. 
    ➜ openssl pkcs12 -export -inkey win-code-signing.key -in win-code-signing.crt -out encrypted-win-code-signing.pfx
Enter Export Password: <password>
Verifying - Enter Export Password: <password>
  5. Upload the encrypted-win-code-signing.pfx file to the Code Signing folder in Google Drive and obtain a public direct download link.
  6. Within the test-runner:sign-windows-binary CircleCI context, set CSC_LINK to that direct download URL and set CSC_KEY_PASSWORD to the passphrase used to encrypt the pfx file.
Reference in New Issue View Git Blame Copy Permalink