You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: guides/code-signing.md
+27-10
Original file line number
Diff line number
Diff line change
@@ -4,20 +4,37 @@ Code signing is done for the Windows and Mac distributions of Cypress when they
4
4
5
5
`electron-builder` handles code signing during the `create-build-artifacts` jobs. This guide assumes that the reader is already familiar with [`electron-builder`'s Code Signing documentation](https://www.electron.build/code-signing).
6
6
7
-
## Installing a new Mac code signing key
7
+
## Rotating the Mac code signing key
8
8
9
-
Follow the directions supplied by `electron-builder`: https://www.electron.build/code-signing#travis-appveyor-and-other-ci-servers
9
+
1. On a Mac, log in to Xcode using Cypress's Apple developer program identity.
10
+
2. Follow Apple's [Create, export, and delete signing certificates](https://help.apple.com/xcode/mac/current/#/dev154b28f09) instructions:
11
+
1. Follow "View signing certificates".
12
+
2. Follow "Create a signing certificate", and choose the type of "Developer ID Application" when prompted.
13
+
3. Follow "Export a signing certificate". Set a strong passphrase when prompted, which will later become `CSC_KEY_PASSWORD`.
14
+
3. Upload the exported, encrypted `.p12` file to the [Code Signing folder][code-signing-folder] in Google Drive and obtain a public [direct download link][direct-download].
15
+
4. Within the `test-runner:sign-mac-binary` CircleCI context, set `CSC_LINK` to that direct download URL and set `CSC_KEY_PASSWORD` to the passphrase used to encrypt the `p12` file.
10
16
11
-
Set the environment variables `CSC_LINK` and `CSC_KEY_PASSWORD` in the `test-runner:sign-mac-binary` CircleCI context.
17
+
## Rotating the Windows code signing key
12
18
13
-
## Installing a new Windows code signing key
14
-
15
-
1. Obtain the private key and full certificate chain in ASCII-armored PEM format and store each in a file (`-----BEGIN PRIVATE KEY-----`, `-----BEGIN CERTIFICATE-----`)
16
-
2. Using `openssl`, convert the plaintext PEM public and private key to binary PKCS#12/PFX format and encrypt it with a real strong password.
19
+
1. Generate a certificate signing request (CSR) file using `openssl`. For example:
2. Obtain a certificate by submitting the CSR to SSL.com using the Cypress SSL.com account.
27
+
* If renewing, follow the [renewal instructions](https://www.ssl.com/how-to/renewing-ev-ov-and-iv-certificates/).
28
+
* If rotating, contact SSL.com's support to request certificate re-issuance.
29
+
3. Obtain the full certificate chain from SSL.com's dashboard in ASCII-armored PEM format and save it as `win-code-signing.crt`. (`-----BEGIN PRIVATE KEY-----`, `-----BEGIN CERTIFICATE-----`)
30
+
4. Using `openssl`, convert the plaintext PEM public and private key to binary PKCS#12/PFX format and encrypt it with a strong passphrase, which will later become `CSC_KEY_PASSWORD`.
3. Upload the `encrypted.pfx` file to the Cypress App Google Drive and obtain a [direct download link](http://www.syncwithtech.org/p/direct-download-link-generator.html).
23
-
4. Within the `test-runner:sign-windows-binary` CircleCI context, set`CSC_LINK` to that URL and `CSC_KEY_PASSWORD` to the password.
36
+
5. Upload the `encrypted-win-code-signing.pfx` file to the [Code Signing folder][code-signing-folder] in Google Drive and obtain a public [direct download link][direct-download].
37
+
6. Within the `test-runner:sign-windows-binary` CircleCI context, set`CSC_LINK` to that direct download URL and set`CSC_KEY_PASSWORD` to the passphrase used to encrypt the `pfx` file.
0 commit comments