コード署名

Code signing is a security technology to certify that an app was created by you. You should sign your application so it does not trigger any operating system security warnings.

Both Windows and macOS prevent users from running unsigned applications. It is possible to distribute applications without codesigning them - but in order to run them, users need to go through multiple advanced and manual steps to run them.

パッケージ化して配布する予定の Electron アプリケーションを作成している場合は、コード署名されている必要があります。 The Electron ecosystem tooling makes codesigning your apps straightforward - this documentation explains how sign your apps on both Windows and macOS.

macOS ビルドへの署名 & 公証

Preparing macOS applications for release requires two steps: First, the app needs to be code signed. 次に、公証 と呼ばれるプロセスのためにアプリを Apple にアップロードする必要があります。自動化されたシステムによって、アプリがユーザーを危険に晒すようなことをしていないかどうか、さらに確認します。

このプロセスを開始するには、以下に示すアプリへの署名と公証の要件を満たしていることを確認してください。

1. Apple Developer Program に登録する (年会費が必要)
2. Download and install Xcode - this requires a computer running macOS
3. Generate, download, and install signing certificates

Electron のエコシステムでは構成とその自由度を重視しているため、アプリケーションの署名と公証の取得には複数の方法が用意されています。

Electron Forge を使用する

好きな Electron のビルドツールを使用している場合、アプリケーションの署名と公証を行うにあたって、設定にいくつか追加する必要があります。 forge は、内部で @electron/packager、@electron/osx-sign、@electron/notarize を利用している、Electron 公式のツールの集合体です。

アプリケーションの設定方法の詳細は、Electron Forge ドキュメント内の macOS アプリの署名 ガイドに記載されています。

Electron Packager を使用する

Forge のような統合されたビルドパイプラインを使用しない場合、@electron/packager を使用することが多く、これは @electron/osx-sign や @electron/notarize を同梱しています。

If you're using Packager's API, you can pass in configuration that both signs and notarizes your application. If the example below does not meet your needs, please see @electron/osx-sign and @electron/notarize for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  osxSign: {},
  osxNotarize: {
    appleId: 'felix@felix.fun',
    appleIdPassword: 'my-apple-id-password'
  }
})

Mac App Store アプリケーションの署名

See the Mac App Store Guide.

Windows ビルドの署名

Before you can code sign your application, you need to acquire a code signing certificate. Unlike Apple, Microsoft allows developers to purchase those certificates on the open market. They are usually sold by the same companies also offering HTTPS certificates. Prices vary, so it may be worth your time to shop around. 人気のある再販業者は次のとおりです。

• Certum EV code signing certificate
• DigiCert EV code signing certificate
• Entrust EV code signing certificate
• GlobalSign EV code signing certificate
• IdenTrust EV code signing certificate
• Sectigo (formerly Comodo) EV code signing certificate
• SSL.com EV code signing certificate

It is important to call out that since June 2023, Microsoft requires software to be signed with an "extended validation" certificate, also called an "EV code signing certificate". In the past, developers could sign software with a simpler and cheaper certificate called "authenticode code signing certificate" or "software-based OV certificate". These simpler certificates no longer provide benefits: Windows will treat your app as completely unsigned and display the equivalent warning dialogs.

The new EV certificates are required to be stored on a hardware storage module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. In other words, the certificate cannot be simply downloaded onto a CI infrastructure. In practice, those storage modules look like fancy USB thumb drives.

Many certificate providers now offer "cloud-based signing" - the entire signing hardware is in their data center and you can use it to remotely sign code. This approach is popular with Electron maintainers since it makes signing your applications in CI (like GitHub Actions, CircleCI, etc) relatively easy.

At the time of writing, Electron's own apps use DigiCert KeyLocker, but any provider that provides a command line tool for signing files will be compatible with Electron's tooling.

All tools in the Electron ecosystem use @electron/windows-sign and typically expose configuration options through a windowsSign property. You can either use it to sign files directly - or use the same windowsSign configuration across Electron Forge, @electron/packager, electron-winstaller, and electron-wix-msi.

Electron Forge を使用する

Electron Forge is the recommended way to sign your app as well as your Squirrel.Windows and WiX MSI installers. Detailed instructions on how to configure your application can be found in the Electron Forge Code Signing Tutorial.

Electron Packager を使用する

If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/windows-sign.

If you're using Packager's API, you can pass in configuration that signs your application. If the example below does not meet your needs, please see @electron/windows-sign for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

electron-winstaller (Squirrel.Windows) を使用する

electron-winstaller is a package that can generate Squirrel.Windows installers for your Electron app. This is the tool used under the hood by Electron Forge's Squirrel.Windows Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

const electronInstaller = require('electron-winstaller')
// 注: この構文は非同期関数内で使用してください。Node 12 の時点では Node は
//     トップレベル await をサポートしていません。
try {
  await electronInstaller.createWindowsInstaller({
    appDirectory: '/tmp/build/my-app-64',
    outputDirectory: '/tmp/build/installer64',
    authors: 'My App Inc.',
    exe: 'myapp.exe',
    windowsSign: {
      signWithParams: '--my=custom --parameters',
      // If signtool.exe does not work for you, customize!
      signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
    }
  })
  console.log('It worked!')
} catch (e) {
  console.log(`No dice: ${e.message}`)
}

For full configuration options, check out the electron-winstaller repository!

electron-wix-msi (WiX MSI) を使用する

electron-wix-msi is a package that can generate MSI installers for your Electron app. This is the tool used under the hood by Electron Forge's MSI Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

import { MSICreator } from 'electron-wix-msi'

// Step 1: Instantiate the MSICreator
const msiCreator = new MSICreator({
  appDirectory: '/path/to/built/app',
  description: 'My amazing Kitten simulator',
  exe: 'kittens',
  name: 'Kittens',
  manufacturer: 'Kitten Technologies',
  version: '1.1.2',
  outputDirectory: '/path/to/output/folder',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

// Step 2: Create a .wxs template file
const supportBinaries = await msiCreator.create()

// 🆕 Step 2a: optionally sign support binaries if you
// sign you binaries as part of of your packaging script
for (const binary of supportBinaries) {
  // Binaries are the new stub executable and optionally
  // the Squirrel auto updater.
  await signFile(binary)
}

// ステップ 3: テンプレートを .msi ファイルにコンパイルする
await msiCreator.compile()

For full configuration options, check out the electron-wix-msi repository!

Electron Builder を使用する

Electron Builder にはアプリケーションに署名するためのカスタムソリューションが付属しています。 そのドキュメントはこちら にあります。

Windows Store アプリケーションの署名

See the Windows Store Guide.