Code signing is a digital signature of the software by the developer, which allows users to confirm the identity of the developer and ensure that the version they download is from a trusted source and has not been tampered with by a third party.

Electron developed applications can also be code-signed, where macOS is relatively simple, Windows has some trouble, I also took some detours to succeed, here is a record.

Buying a certificate

To sign an application on Windows, you need a signing certificate, which you need to pay for. After comparing several certificate providers, I found CheapSSLSecurity should be the cheapest, and there seems to be no major negative comments, so I finally placed an order here. They are very fast, and it takes only one day from order to certificate if the resources are ready.

There are two types of code signing certificates: regular version, which can be purchased by individual developers or companies (called IV version and OV version respectively), and EV version, which can only be purchased by companies or organizations and provides higher security but is also more expensive. More information about the differences between the two can be found on the Internet, so I won’t repeat them here.

The following is a record of the purchase and use of the regular version of the code signing certificate.

Place an order

Find “Code Signing Certificates” in the top navigation of CheapSSLSecurity and click on it to see the list of code signing products it sells, the most popular one being “Comodo Code Signing”, which is the one I purchased. Just add it to your cart and checkout. It costs $83 for just one year, or $69.17 per year for a one-time purchase of three years.

If you don’t have an account, CheapSSLSecurity will remind you to create one after you place your order.

Apply for a certificate

After the order is successfully placed, CheapSSLSecurity will show you a certificate application interface, which requires you to fill in the name, address and other information of the application subject on this page, and finally a CSR (Certificate Signing Request, certificate signing request file).

One thing to note about this step is that it is best to use IE browser to apply. I encountered a trap here when I applied before, because I often use macOS everyday, and when I saw that the CSR could be filled in manually, I applied with Chrome on macOS, and used other tools to generate the CSR and fill in the submission, but the process got stuck when generating the certificate later, so I had to resubmit the application from the beginning, but fortunately I didn’t need to pay again.

Since IE is no longer available on Windows 11, you will also need a Windows 10 or Windows 7/8 computer, and a virtual machine will work. Although the process of applying for a certificate needs to be done on IE, the final certificate can be exported for use on other machines or even macOS.

The official website of CheapSSLSecurity also has instructions on how to apply using Firefox, but I tried without success, so the easiest way is probably to do it on Windows.

When you use IE to apply for a certificate, you can choose to let your browser generate it automatically in the CSR column, and just use the default values for all settings.

Data verification

CheapSSLSecurity is actually just the agent of the certificate, after submitting the application in CheapSSLSecurity, you will receive an email from Sectigo, click the link in the email to see the progress, mainly the certificate authority wants to verify the validity of the order, the validity of the applicant’s information, etc.

If it goes well, after a while you will receive an email reminder to proceed to the next step, which requires you to upload a photo of your certificate administrator’s ID card and a photo of your personal handheld ID card, on which you can add your own watermark.

After the photo verification is approved, you will receive another step in the email to verify the validity of the applicant’s (or company’s) contact number, just follow the prompts. In this step, the corresponding phone number will be displayed on their website and you can choose to call immediately or specify a time to call, and you can also choose the language of the call, which supports Mandarin Chinese. When you click Call Now, the corresponding phone number will receive an incoming call from a U.S. number, in which a 6-digit verification code will be played, fill in this verification code into the web page and you are done.

Get the certificate

After you have passed the phone verification, you will soon receive an email that says “Your Code Signing Certificate is ready”, so you can click the link in the email to obtain the certificate.

Note that you need to continue this step in the same IE browser that generated the CSR before.

According to the page prompts, click OK all the way, and finally see the interface as shown below, it means the certificate is successfully obtained.

certificate

At this point, the code signing certificate has been generated and installed in the current IE browser.

Exporting the certificate

Next, click IE browser settings, click [Content] → [Certificate] in the [Internet Options] panel, and you should see a new item in the [Personal] column, which is the code signing certificate you just generated and installed.

Export the certificate in Internet Explorer.

Select this certificate and click Export to export it to a pfx format certificate. Note that you need to export the private key at the same time.

Signing with a certificate

Once you have the certificate, you can sign the generated exe or installation file during Electron packaging.

I use electron-builder for packaging, and the official documentation Windows section has detailed instructions on the certificate signing parameters.

Configuration

My relevant configurations are as follows.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

win: {
	icon: 'assets/logo.ico',
	legalTrademarks: 'WonderPen',
	verifyUpdateCodeSignature: false,
	// Here are the code signature related parts
	signingHashAlgorithms: ['sha256'],
	signDlls: false,
	certificateFile: path.join(root_dir, 'scripts', 'tm.pfx'),
	certificatePassword: CERT_PSWD,
	rfc3161TimeStampServer: 'http://timestamp.digicert.com',
	timeStampServer: 'http://timestamp.digicert.com',
},

This is followed by the normal packing process.

Verification

After the package is finished, check the properties of the generated exe file under Windows, if everything goes well, you can see an additional “Digital Signature” tab in the properties, click on it to display the signature details, as shown in the image below.

Digital Signature

At this point, it means that the code signing has been successfully completed.

Other

Note that since the above is a common code signature, even if the application is code-signed, the warning may still appear when users download and run it using a browser such as Edge, except that the warning will show the name of the developer, such as the company name you filled in when applying, instead of the unknown developer. According to online information, this warning will disappear when enough users download and install the application, but there is no information on what the criteria for determining “enough” is.

If you want to not have this warning in the first place, you need to purchase an EV digital signature certificate. This certificate is more expensive and more complicated to operate, I have not practiced it, so I will share it in the future if I have experience.

In addition, when applying for a code signing certificate in the company’s name, the company name can be filled in Chinese or English, and it is recommended to fill in English for better compatibility, because the Chinese name may be displayed as a garbled code in some places, such as the following figure.

Company name garbled

Summary

When distributing software, code signing ensures that the user downloads a copy that is the version you packaged and signed and has not been tampered with, which can improve user trust in the product.

Code signing certificates cost money, as little as hundreds or as much as thousands a year. One of the service providers such as CheapSSLSecurity offers price-friendly certificates, so if you are on a budget you can consider these providers.

The process of applying for a certificate may require the use of IE, which needs to be prepared in advance for the corresponding machine. After the certificate is issued, it can be exported for use on other devices or systems.

After obtaining the certificate, the generated file can be easily signed with a few lines of configuration using tools such as electron-builder.

Ref

  • https://oldj.net/article/2022/07/15/code-signing-with-electron-on-windows/