our company ordered an EV-Certificate from GlobalSign.
Before we had a normal code signing certificate as a p12 file which we could use in Install4J.
Now, with the new certificate we have no cert-files but a usb-token.
Is there a built-in way to use the usb-token to sign executables/jars? Or do I need to use the "Executable processing" step of media wizard like mentioned here?
Maybe a way to sign all installers (win, mac, linux) from one machine (like macos)?
Based on Ingo's answer, it's not possible to use an EV Code Sign certificate. I hope, in future, it will.
As I said in my question, you have to use "Executable processing" in media wizard (for windows only).
You can use microsoft's codesign on windows itself or you can you a little tool called jsign which you can use on all platforms to sign windows executables with EV Code Sign certificate.
This is our call to jsign:
java -jar jsign-2.0.jar --keystore ./eToken.cfg --alias %GetAliasOfYourToken% --storetype PKCS11 --tsaurl http://timestamp.comodoca.com/authenticode --storepass %WriteTokenPasswordHere% $EXECUTABLE
eToken.cfg is a simple text-file with two lines:
name=eToken
library=/usr/local/lib/libeTPkcs11.dylib (because I'm on MacOS)
for Windows it should be:
library=c:\WINDOWS\system32\eTPKCS11.dll
Or do I need to use the "Executable processing" step of media wizard like mentioned here?
Yes, that's the only way.
Maybe a way to sign all installers (win, mac, linux) from one machine (like macos)?
Unfortunately, that's not possible.
Update 2019-10-22
Since install4j 8.0, hardware security modules (PKCS#11) are supported for Windows code signing and can be configured on the General Settings->Code Signing step.
