Code Signierung
Code signing is a security technology that you use to certify that an app was created by you. Sie sollten Ihre Anwendung signieren, damit sie im Betriebssystem keine Sicherheitsüberprüfungen auslösen.
Unter macOS kann das System jede Änderung an der App erkennen, egal ob diese Änderung versehentlich oder durch bösartigen Code eingeführt wird.
Unter Windows weist das System Ihrem Code Signierung Zertifikat ein Vertrauensniveau zu, welches bei niedrigem Vertrauensniveau oder fehlenden Zertifikat dazu führen wird, dass Sicherheitswarnung Dialoge erscheinen, wenn der Nutzer Ihre Anwendung verwendet. Das Vertrauensniveau baut sich im Laufe der Zeit auf - daher ist es besser, so früh wie möglich mit dem Code Signieren zu beginnen.
Es ist zwar möglich unsignierte Apps zu veröffentlichen, ist aber nicht empfehlenswert. Windows als auch macOS werden standardmäßig entweder den Download oder die Ausführung von unsignierten Anwendungen verhindern. Ab macOS Catalina (Version 10.15) müssen Benutzer mehrere manuelle Schritte durchlaufen, um unsignierte Anwendungen zu öffnen.
Wie Sie sehen können, haben Benutzer zwei Optionen: Die App direkt in den Papierkorb verschieben oder die Ausführung abbrechen. Sie möchten wahrscheinlich nicht, dass Ihre Benutzer diesen Dialog sehen.
Wenn Sie eine Elektron-App erstellen, die Sie zu verpacken und zu verteilen beabsichtigen, sollte es Code signiert sein.
Signing & notarizing macOS builds
Properly preparing macOS applications for release requires two steps. First, the app needs to be code signed. Then, the app needs to be uploaded to Apple for a process called notarization, where automated systems will further verify that your app isn't doing anything to endanger its users.
To start the process, ensure that you fulfill the requirements for signing and notarizing your app:
- Enroll in the Apple Developer Program (requires an annual fee)
- Download and install Xcode - this requires a computer running macOS
- Generate, download, and install signing certificates
Electron's ecosystem favors configuration and freedom, so there are multiple ways to get your application signed and notarized.
Using Electron Forge
If you're using Electron's favorite build tool, getting your application signed and notarized requires a few additions to your configuration. Forge is a collection of the official Electron tools, using electron-packager, @electron/osx-sign, and @electron/notarize under the hood.
Detailed instructions on how to configure your application can be found in the Signing macOS Apps guide in the Electron Forge docs.
Using Electron Packager
If you're not using an integrated build pipeline like Forge, you are likely using electron-packager, which includes @electron/osx-sign and @electron/notarize.
If you're using Packager's API, you can pass in configuration that both signs and notarizes your application.
const packager = require('electron-packager')
packager({
dir: '/path/to/my/app',
osxSign: {},
osxNotarize: {
appleId: 'felix@felix.fun',
appleIdPassword: 'my-apple-id-password'
}
})
Signing Mac App Store applications
See the Mac App Store Guide.
Signing Windows builds
Before signing Windows builds, you must do the following:
- Get a Windows Authenticode code signing certificate (requires an annual fee)
- Install Visual Studio to get the signing utility (the free Community Edition is enough)
You can get a code signing certificate from a lot of resellers. Prices vary, so it may be worth your time to shop around. Popular resellers include:
Your certificate password should be a secret. Do not share it publicly or commit it to your source code.
Using Electron Forge
Electron Forge is the recommended way to sign your Squirrel.Windows and WiX MSI installers. Detailed instructions on how to configure your application can be found in the Electron Forge Code Signing Tutorial.
Using electron-winstaller (Squirrel.Windows)
electron-winstaller is a package that can generate Squirrel.Windows installers for your Electron app. This is the tool used under the hood by Electron Forge's Squirrel.Windows Maker. If you're not using Electron Forge and want to use electron-winstaller directly, use the certificateFile and certificatePassword configuration options when creating your installer.
const electronInstaller = require('electron-winstaller')
// NB: Use this syntax within an async function, Node does not have support for
// top-level await as of Node 12.
try {
await electronInstaller.createWindowsInstaller({
appDirectory: '/tmp/build/my-app-64',
outputDirectory: '/tmp/build/installer64',
authors: 'My App Inc.',
exe: 'myapp.exe',
certificateFile: './cert.pfx',
certificatePassword: 'this-is-a-secret'
})
console.log('It worked!')
} catch (e) {
console.log(`No dice: ${e.message}`)
}
For full configuration options, check out the electron-winstaller repository!
Using electron-wix-msi (WiX MSI)
electron-wix-msi is a package that can generate MSI installers for your Electron app. This is the tool used under the hood by Electron Forge's MSI Maker.
If you're not using Electron Forge and want to use electron-wix-msi directly, use the certificateFile and certificatePassword configuration options or pass in parameters directly to SignTool.exe with the signWithParams option.
import { MSICreator } from 'electron-wix-msi'
// Step 1: Instantiate the MSICreator
const msiCreator = new MSICreator({
appDirectory: '/path/to/built/app',
description: 'My amazing Kitten simulator',
exe: 'kittens',
name: 'Kittens',
manufacturer: 'Kitten Technologies',
version: '1.1.2',
outputDirectory: '/path/to/output/folder',
certificateFile: './cert.pfx',
certificatePassword: 'this-is-a-secret'
})
// Step 2: Create a .wxs template file
const supportBinaries = await msiCreator.create()
// 🆕 Step 2a: optionally sign support binaries if you
// sign you binaries as part of of your packaging script
supportBinaries.forEach(async (binary) => {
// Binaries are the new stub executable and optionally
// the Squirrel auto updater.
await signFile(binary)
})
// Step 3: Compile the template to a .msi file
await msiCreator.compile()
For full configuration options, check out the electron-wix-msi repository!
Using Electron Builder
Electron Builder comes with a custom solution for signing your application. You can find its documentation here.
Signing Windows Store applications
See the Windows Store Guide.