Перейти к основному содержанию

Подписывание кода

Подпись кода - это технология безопасности, которую вы используете для удостоверения того, что приложение было создано вами. You should sign your application so it does not trigger any operating system security checks.

On macOS, the system can detect any change to the app, whether the change is introduced accidentally or by malicious code.

On Windows, the system assigns a trust level to your code signing certificate which if you don't have, or if your trust level is low, will cause security dialogs to appear when users start using your application. Trust level builds over time so it's better to start code signing as early as possible.

Можно распространять неподписанные приложения, но не рекомендуется. Both Windows and macOS will, by default, prevent either the download or the execution of unsigned applications. Starting with macOS Catalina (version 10.15), users have to go through multiple manual steps to open unsigned applications.

macOS Catalina Gatekeeper warning: The app cannot be opened because the developer cannot be verified

As you can see, users get two options: Move the app straight to the trash or cancel running it. You don't want your users to see that dialog.

Если вы создаете приложение Electron, которое собираетесь упаковывать и распространять, оно должно быть подписано.

Signing & notarizing macOS builds

Properly preparing macOS applications for release requires two steps. First, the app needs to be code signed. Then, the app needs to be uploaded to Apple for a process called notarization, where automated systems will further verify that your app isn't doing anything to endanger its users.

To start the process, ensure that you fulfill the requirements for signing and notarizing your app:

  1. Зарегистрироваться в Apple Developer Program (требует оплату раз в год)
  2. Скачать и установить Xcode - для этого требуется компьютер под управлением macOS
  3. Сгенерировать подписанные сертификаты

Electron's ecosystem favors configuration and freedom, so there are multiple ways to get your application signed and notarized.

Using Electron Forge

If you're using Electron's favorite build tool, getting your application signed and notarized requires a few additions to your configuration. Forge is a collection of the official Electron tools, using @electron/packager, @electron/osx-sign, and @electron/notarize under the hood.

Detailed instructions on how to configure your application can be found in the Signing macOS Apps guide in the Electron Forge docs.

Using Electron Packager

If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/osx-sign and @electron/notarize.

If you're using Packager's API, you can pass in configuration that both signs and notarizes your application.

const packager = require('@electron/packager')

packager({
dir: '/path/to/my/app',
osxSign: {},
osxNotarize: {
appleId: 'felix@felix.fun',
appleIdPassword: 'my-apple-id-password'
}
})

Signing Mac App Store applications

See the Mac App Store Guide.

Подписывание сборок для Windows

Перед подписью, следует:

  1. Получить сертификат для подписания кода аутентификации Windows (требуется ежегодная плата)
  2. Установите Visual Studio для получения утилиты подписи (бесплатной версия Community Edition достаточно)

Вы можете получить сертификат от множества продавцов, включая самых популярных. Цены варьируются, поэтому это может стоить вашего времени, чтобы ходить по магазинам. Популярные реселлеры включают:

  • digicert
  • Sectigo
  • Amongst others, please shop around to find one that suits your needs! 😄
Держите пароль вашего сертификата в тайне

Your certificate password should be a secret. Do not share it publicly or commit it to your source code.

Using Electron Forge

Electron Forge is the recommended way to sign your Squirrel.Windows and WiX MSI installers. Detailed instructions on how to configure your application can be found in the Electron Forge Code Signing Tutorial.

Using electron-winstaller (Squirrel.Windows)

electron-winstaller is a package that can generate Squirrel.Windows installers for your Electron app. This is the tool used under the hood by Electron Forge's Squirrel.Windows Maker. If you're not using Electron Forge and want to use electron-winstaller directly, use the certificateFile and certificatePassword configuration options when creating your installer.

const electronInstaller = require('electron-winstaller')
// NB: Use this syntax within an async function, Node does not have support for
// top-level await as of Node 12.
try {
await electronInstaller.createWindowsInstaller({
appDirectory: '/tmp/build/my-app-64',
outputDirectory: '/tmp/build/installer64',
authors: 'My App Inc.',
exe: 'myapp.exe',
certificateFile: './cert.pfx',
certificatePassword: 'this-is-a-secret'
})
console.log('It worked!')
} catch (e) {
console.log(`No dice: ${e.message}`)
}

For full configuration options, check out the electron-winstaller repository!

Using electron-wix-msi (WiX MSI)

electron-wix-msi is a package that can generate MSI installers for your Electron app. This is the tool used under the hood by Electron Forge's MSI Maker.

If you're not using Electron Forge and want to use electron-wix-msi directly, use the certificateFile and certificatePassword configuration options or pass in parameters directly to SignTool.exe with the signWithParams option.

import { MSICreator } from 'electron-wix-msi'

// Step 1: Instantiate the MSICreator
const msiCreator = new MSICreator({
appDirectory: '/path/to/built/app',
description: 'My amazing Kitten simulator',
exe: 'kittens',
name: 'Kittens',
manufacturer: 'Kitten Technologies',
version: '1.1.2',
outputDirectory: '/path/to/output/folder',
certificateFile: './cert.pfx',
certificatePassword: 'this-is-a-secret'
})

// Step 2: Create a .wxs template file
const supportBinaries = await msiCreator.create()

// 🆕 Step 2a: optionally sign support binaries if you
// sign you binaries as part of of your packaging script
for (const binary of supportBinaries) {
// Binaries are the new stub executable and optionally
// the Squirrel auto updater.
await signFile(binary)
}

// Step 3: Compile the template to a .msi file
await msiCreator.compile()

For full configuration options, check out the electron-wix-msi repository!

Using Electron Builder

Electron Builder comes with a custom solution for signing your application. You can find its documentation here.

Signing Windows Store applications

Смотри страницу Windows Store Guide.