Saltar al contenido principal

Firma de código

Code signing is a security technology to certify that an app was created by you. You should sign your application so it does not trigger any operating system security warnings.

macOS Sonoma Gatekeeper warning: The app is damaged

Both Windows and macOS prevent users from running unsigned applications. It is possible to distribute applications without codesigning them - but in order to run them, users need to go through multiple advanced and manual steps to run them.

Si tu estas haciendo una aplicación Electron que tu quieres empaquetar y distribuir, debería ser de código firmado. The Electron ecosystem tooling makes codesigning your apps straightforward - this documentation explains how sign your apps on both Windows and macOS.

Firmar & notarizar versiones de macOS

Preparing macOS applications for release requires two steps: First, the app needs to be code signed. Luego, la aplicación debe ser cargada a Apple para un proceso llamado notarización, donde los sistemas automatizados comprobarán aún más que tu aplicación no está haciendo nada para poner en peligro a sus usuarios.

Para comenzar el proceso, asegúrate de cumplir con los requisitos para firmar y notarizar tu App:

  1. Afíliate en el Apple Developer Program (requiere un pago anual)
  2. Download and install Xcode - this requires a computer running macOS
  3. Generate, download, and install signing certificates

El ecosistema de Electron favorece la configuración y la libertad, así que hay múltiples maneras de que tu aplicación sea firmada y notarizada.

Usando Electron Forge

Si usas la herramienta de construcción favorita de Electron, firmar tu aplicación y notarizarla requiere algunas adiciones a tu configuración. Forge is a collection of the official Electron tools, using @electron/packager, @electron/osx-sign, and @electron/notarize under the hood.

Detailed instructions on how to configure your application can be found in the Signing macOS Apps guide in the Electron Forge docs.

Usando Electron Packager

If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/osx-sign and @electron/notarize.

If you're using Packager's API, you can pass in configuration that both signs and notarizes your application. If the example below does not meet your needs, please see @electron/osx-sign and @electron/notarize for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  osxSign: {},
  osxNotarize: {
    appleId: 'felix@felix.fun',
    appleIdPassword: 'my-apple-id-password'
  }
})

Firmar aplicaciones de la App Store de Mac

See the Mac App Store Guide.

Firmando compilaciones Windows

Before you can code sign your application, you need to acquire a code signing certificate. Unlike Apple, Microsoft allows developers to purchase those certificates on the open market. They are usually sold by the same companies also offering HTTPS certificates. Prices vary, so it may be worth your time to shop around. Entre los revendedores populares se incluyen:

It is important to call out that since June 2023, Microsoft requires software to be signed with an "extended validation" certificate, also called an "EV code signing certificate". In the past, developers could sign software with a simpler and cheaper certificate called "authenticode code signing certificate" or "software-based OV certificate". These simpler certificates no longer provide benefits: Windows will treat your app as completely unsigned and display the equivalent warning dialogs.

The new EV certificates are required to be stored on a hardware storage module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. In other words, the certificate cannot be simply downloaded onto a CI infrastructure. In practice, those storage modules look like fancy USB thumb drives.

Many certificate providers now offer "cloud-based signing" - the entire signing hardware is in their data center and you can use it to remotely sign code. This approach is popular with Electron maintainers since it makes signing your applications in CI (like GitHub Actions, CircleCI, etc) relatively easy.

At the time of writing, Electron's own apps use DigiCert KeyLocker, but any provider that provides a command line tool for signing files will be compatible with Electron's tooling.

All tools in the Electron ecosystem use @electron/windows-sign and typically expose configuration options through a windowsSign property. You can either use it to sign files directly - or use the same windowsSign configuration across Electron Forge, @electron/packager, electron-winstaller, and electron-wix-msi.

Usando Electron Forge

Electron Forge is the recommended way to sign your app as well as your Squirrel.Windows and WiX MSI installers. Detailed instructions on how to configure your application can be found in the Electron Forge Code Signing Tutorial.

Usando Electron Packager

If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/windows-sign.

If you're using Packager's API, you can pass in configuration that signs your application. If the example below does not meet your needs, please see @electron/windows-sign for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

Utilizando electron-winstaller (Squirrel.Windows)

electron-winstaller is a package that can generate Squirrel.Windows installers for your Electron app. This is the tool used under the hood by Electron Forge's Squirrel.Windows Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

const electronInstaller = require (' Electron-winstaller ')
//NB: utiliza esta sintaxis dentro de una función asincrónica ya que Node no tiene soporte para
//nivel superior Await a partir del nodo 12.
try {
  await electronInstaller.createWindowsInstaller({
    appDirectory: '/tmp/build/my-app-64',
    outputDirectory: '/tmp/build/installer64',
    authors: 'My App Inc.',
    exe: 'myapp.exe',
    windowsSign: {
      signWithParams: '--my=custom --parameters',
      // If signtool.exe does not work for you, customize!
      signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
    }
  })
  console.log('It worked!')
} catch (e) {
  console.log(`No dados: ${e.message}`)
}

For full configuration options, check out the electron-winstaller repository!

Usar Electron-Wix-MSI (WiX MSI)

electron-wix-msi is a package that can generate MSI installers for your Electron app. This is the tool used under the hood by Electron Forge's MSI Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

import { MSICreator } from 'electron-wix-msi'

// Step 1: Instantiate the MSICreator
const msiCreator = new MSICreator({
  appDirectory: '/path/to/built/app',
  description: 'My amazing Kitten simulator',
  exe: 'kittens',
  name: 'Kittens',
  manufacturer: 'Kitten Technologies',
  version: '1.1.2',
  outputDirectory: '/path/to/output/folder',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

// Step 2: Create a .wxs template file
const supportBinaries = await msiCreator.create()

// 🆕 Step 2a: optionally sign support binaries if you
// sign you binaries as part of of your packaging script
for (const binary of supportBinaries) {
  // Binaries are the new stub executable and optionally
  // the Squirrel auto updater.
  await signFile(binary)
}

// Step 3: Compile the template to a .msi file
await msiCreator.compile()

For full configuration options, check out the electron-wix-msi repository!

Usando Electron Builder

Electron Builder viene con una solución personalizada para la firma de su aplicación. Usted puede encontar its documentation here.

Firmar aplicaciones de la Windows Store

See the Windows Store Guide.