Cannot extract publisher name from code signing certificate, please file issue. (Windows)

[iffy]

• electron-builder Version: 20.8.1

• electron-updater Version: 2.21.4

• Target: Windows

I'm building on a Windows 10 VM with a code signing certificate. Here's what I've tried:

1. I first tried to build with just environment variables set:

set CSC_LINK=Y:\csc_link.p12
set /P CSC_KEY_PASSWORD=< Y:\csc_key_password.txt

and got this error (which is why I'm filing this issue):

Error: Cannot extract publisher name from code signing certificate, please file issue. As workaround, set win.publisherName: Error: Exit code: ENOENT. spawn openssl ENOENT

2. So next I tried with win.publisherName set:

Here's the relevant portion of package.json:

"build": {
    "win": {
      "publisherName": "MY COMPANY NAME"
    },
  },

This produced the following error:

Error: Exit code: 1. Command failed: Y:\cache\electron-cache\winCodeSign\winCodeSign-2.0.0\windows-10\ia32\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f Y:\csc_link.p12 /d Buckets /du https://www.budgetwithbuckets.com /p REDACTED (sha256 hash) C:\proj\app\dist\win-unpacked\Buckets.exe
SignTool Error: No certificates were found that met all the given criteria.

SignTool Error: No certificates were found that met all the given criteria.

[iffy]

I ran the command electron-builder ran and got a password error:

But then I ran the command with my actual password (rather than the sha256 hash) and it successfully signed:

y:\cache\electron-cache\winCodeSign\winCodeSign-2.0.0\windows-10\ia32\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f Y:\csc_link.p12 /d Buckets /du https://www.budgetwithbuckets.com /p MYREALPASSWORD /debug c:\proj\app\dist\win-unpacked\Buckets.exe

[iffy]

Let me know what else you need to debug this. I'm confused why running the same command electron-builder is running works for me but fails for electron-builder.

[iffy]

@develar is there a way to have electron-builder run signtool.exe with the /debug flag so I can see the debug output?

[iffy]

I monkey-patched electron-builder to add the /debug flag and this is the output I'm getting:

Error: Exit code: 1. Command failed: Y:\cache\electron-cache\winCodeSign\winCodeSign-2.0.0\windows-10\ia32\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f Y:\csc_link.p12 /d Buckets /du https://www.budgetwithbuckets.com /p REDACTED (sha256 hash) /debug C:\proj\app\dist\.__uninstaller-nsis-Buckets.exe
SignTool Error: No certificates were found that met all the given criteria.


The following certificates were considered:
    Issued to: MY COMPANY NAME
    Issued by: DigiCert SHA2 Assured ID Code Signing CA
    Expires:   Wed May 15 05:00:00 2019
    SHA1 hash: 784DC815E26C810781B9CDBB3DAB466381BE5F59

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 0 certs were left.

SignTool Error: No certificates were found that met all the given criteria.

Also, I should note that I'm running this through many layers of things. So perhaps this isn't an electron-builder issue. Here's the layers:

• on macOS I run a bash script
• which runs vboxmanage guestcontrol run
• which runs cmd.exe /c on the guest
• which runs a .bat file
• which runs another .bat file
• which runs cmd /c node_modules\.bin\build

I'll keep debugging the issue, but at the very least, could the /debug flag be on by default when running signtool.exe?

[develar]

1. we should not try to use openssl on windows
2. if powershell returns error — we should throw it instead of warn.

[develar]

@iffy you need to debug not signtool, but powershell command.

[develar]

my actual password (rather than the sha256 hash)

for security reasons we never print your actual password to console/logs.

[develar]

20.13.3 published, please try.

[andymorris]

I also received the Cannot extract publisher name error and found this issue while searching for a solution, and wanted to document my finding in case someone else followed the same path. My error also included:

Get-PfxData : An error occurred during encode or decode operation. 0x80092002 (-2146885630 CRYPT_E_BAD_ENCODE)

In my case, the root of the problem was this Firefox issue with exporting certificates. I exported my certificate from Firefox, and I can't install the certificate through the Windows GUI either, which says the password is incorrect. So the problem was not with electron-builder, but instead a bad certificate exported from Firefox. I was able to fix the bad certificate using the Digicert Certificate Utility as discussed in that Bugzilla link.

[iffy]

@andymorris my latest try sort of resembles what you describe, but not quite the same. Also, I'm doing all of this on the command line with environment variables.

@develar Here's the output with v20.13.3:

  • cannot get publisher name using powershell error=
 Exit code: 1. Command failed: powershell.exe -NoProfile -NonInteractive -Command (Get-PfxData "Y:\csc_link.p12" -Password (ConvertTo-SecureString -String REDACTED -Force -AsPlainText)).EndEntityCertificates.Subject
 Get-PfxData : Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)
 At line:1 char:2
 + (Get-PfxData "Y:\csc_link.p12" -Password (ConvertTo-SecureString -Str ...
 +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : NotSpecified: (:) [Get-PfxData], Exception
     + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.C 
    ommands.GetPfxDataCommand
  
 
 Get-PfxData : Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)
 At line:1 char:2
 + (Get-PfxData "Y:\csc_link.p12" -Password (ConvertTo-SecureString -Str ...
 +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : NotSpecified: (:) [Get-PfxData], Exception
     + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.C 
    ommands.GetPfxDataCommand

I'll look into the errors, but maybe you already know what it means.

[iffy]

I'm thinking this is a VirtualBox/Windows bug, not electron-builder. As I mentioned before, I'm running electron-builder through vboxmanage guestcontrol run..., and here's what I've currently found:

I have two problems:

1. extracting the publisher name from the .p12 certificate fails (as mentioned above)
2. code signing also fails (when I specify win.publisherName to bypass ^)

But, if I open a GUI VirtualBox window and sign in as the default user before running electron-builder, both of those problems are gone 😕

In other words, simply having logged in with the Windows GUI (and not even using the window for anything) solves my problem. Unless you happen to know why this happens, I'm closing this because it's not your problem to fix.