Original link: https://oldj.net/article/2022/07/15/code-signing-with-electron-on-windows/
Code signing is the digital signature of the software by the developer. Users can confirm the identity of the developer according to the signature to ensure that the source of the version downloaded by themselves is credible and has not been tampered with by a third party.
The applications developed by Electron can also be code signed. Among them, macOS is relatively simple. Please refer to the ” Signing and Notarization of Electron Programs under macOS ” that I wrote before. It is a little troublesome under Windows. I also took some detours to succeed. I will record it here. .
buy certificate
To sign an application under Windows, a signing certificate is required, and this certificate needs to be purchased. After comparing multiple certificate service providers, I found that CheapSSLSecurity should be the cheapest, and there seems to be no major negative comments, so I finally placed an order here. Their speed is very fast, and if the materials are ready, it only takes one day from placing an order to getting the certificate.
There are two types of code signing certificates: ordinary version and EV version. The ordinary version supports purchase by individual developers or companies (respectively called IV version and OV version), while EV version only supports purchase by companies or organizations, which can provide higher security. , but also more expensive. For more differences between the two, please refer to the relevant online instructions, which will not be repeated here.
Documented below is the purchase and use of a regular code signing certificate.
place an order
Find “Code Signing Certificates” in the top navigation of CheapSSLSecurity, click it to see the list of code signing products it sells, the most popular one is “Comodo Code Signing”, this is what I bought, add it to the shopping cart, checkout Can. It costs $83 for a one-year purchase, or $69.17 a year for a three-year one-time purchase.
If you do not have an account, CheapSSLSecurity will remind you to create an account after placing an order.
Apply for a certificate
After the order is successfully placed, CheapSSLSecurity will show you an interface for applying for a certificate. You need to fill in the name, address and other information of the applicant on this page, and finally fill in a CSR (Certificate Signing Request, certificate signing request file).
There is a point to note in this step, that is, it is best to use the IE browser to apply. I stepped on the pit here before when I applied, because I use macOS every day. When I saw the CSR when I applied, I could fill in the CSR manually. I applied with the Chrome browser on macOS, and used other tools to generate a CSR to fill in and submit. As a result, the process was stuck when the certificate was generated later, and the application had to be resubmitted from the beginning. Fortunately, there was no need to pay again.
Since there is no IE on Windows 11 now, you still need a Windows 10 or Windows 7/8 computer, and a virtual machine can also be used. Although the process of applying for a certificate needs to be done on IE, in the end, the certificate can be exported for use on other machines or even macOS.
CheapSSLSecurity’s official website also has instructions on using Firefox to apply, but I tried it without success. The easiest way may be to operate on Windows.
When using IE to apply for a certificate, you can choose to let the browser automatically generate the CSR column, and use the default values for all settings.
Data verification
CheapSSLSecurity is actually just a certificate agent. After CheapSSLSecurity submits the application, you will receive an email from Sectigo. Click the link in the email to see the progress. The main reason is that the certificate authority needs to verify the validity of the order and the information of the applicant. effectiveness, etc.
If everything goes well, after a period of time, you will receive an email reminder to proceed to the next step. The content is that you need to upload the photo of the certificate administrator’s ID card and the photo of the personal ID card. You can add a watermark to the photo by yourself.
After the photo verification is passed, you will receive an email for the next step to verify the validity of the applicant’s (or company’s) contact number, and just follow the prompts. In this step, the corresponding phone number will be displayed on their website. You can choose to call immediately or specify a time to call. You can also choose the language of the phone, which supports Mandarin Chinese. Click to call now, and the corresponding phone will receive a call from a US number, which will play a 6-digit verification code. Fill in the verification code into the web page and you are done.
Get a certificate
After the phone verification is passed, you will soon receive an email prompting “Your Code Signing Certificate is ready”. At this time, you can click the link in the email to obtain the certificate.
It should be noted that this step needs to be continued on the IE browser that generated the CSR before.
According to the page prompts, all the way to determine, and finally see the interface as shown in the following figure, it means that the certificate has been obtained successfully.
Get a certificate
At this point, the code signing certificate has been generated and installed into the current IE browser.
export certificate
Next, you can click the settings of the IE browser, click [Content] → [Certificate] in the [Internet Options] panel, and you should be able to see the new item in the [Personal] column, which is the code signature that was just generated and installed. Certificate.
export certificate
Select the certificate and click [Export] to export it as a certificate in pfx format. Note that the private key needs to be exported at the same time.
Sign with a certificate
With this certificate, the generated exe or installation file can be signed when Electron is packaged.
I use electron-builder for packaging, and there are detailed instructions on certificate signing parameters in the Windows packaging section of the official documentation.
configure
My relevant configuration is as follows:
win: { icon: 'assets/logo.ico', legalTrademarks: 'WonderPen', verifyUpdateCodeSignature: false, // 以下是代码签名相关部分 signingHashAlgorithms: ['sha256'], signDlls: false, certificateFile: path.join(root_dir, 'scripts', 'tm.pfx'), certificatePassword: CERT_PSWD, rfc3161TimeStampServer: 'http://timestamp.digicert.com', timeStampServer: 'http://timestamp.digicert.com', },
Then comes the normal packing process.
verify
After the packaging is completed, check the properties of the generated exe file under Windows. If everything goes well, you can see that there is a “Digital Signature” label in the properties. Click to display the detailed information of the signature, as shown in the following figure:
Signature information
At this point, it means that the code signing has been successfully completed.
other
It should be noted that because the above uses ordinary code signing, even if the application is code signed, a warning may still be displayed when the user downloads and runs it using a browser such as Edge, but the developer will be displayed in the warning at this time. name, such as the company name you filled in when you applied, instead of an unknown developer. According to the information on the Internet, when enough users download and install it, the warning will disappear.
If you want to avoid this warning in the first place, you need to purchase an EV digital signature certificate. This certificate is more expensive and the operation is more complicated. I have not practiced it. If I have experience in the future, I will share it.
In addition, when applying for a code signing certificate in the name of a company, the company name can be filled in Chinese or English. It is recommended to fill in English for better compatibility, because the Chinese name may be displayed as garbled characters in some places, such as the following picture:
company name garbled
summary
When software is distributed, code signing can ensure that the copy downloaded by the user is the version you packaged and signed, and has not been tampered with, which can enhance the user’s trust in the product.
Code signing certificates cost money to buy, ranging from hundreds to thousands a year. Among them, service providers such as CheapSSLSecurity provide price-friendly certificates, and these service providers can be considered if the budget is limited.
In the process of applying for a certificate, IE may be used, and the corresponding machine needs to be prepared in advance. After the certificate is issued, it can be exported for use on other devices or systems.
After obtaining the certificate, using tools such as electron-builder, you can easily sign the generated file with just a few lines of configuration.
This article is reprinted from: https://oldj.net/article/2022/07/15/code-signing-with-electron-on-windows/
This site is for inclusion only, and the copyright belongs to the original author.