跳转到主内容

代码签名

代码签名是一种安全技术,用于验证应用程序真的是由你创建和发布的。 你应该对你发布的应用程序进行签名,以避免触发操作系统的安全警告。

macOS Sonoma 的 Gatekeeper 警告:“该应用已损坏”

Windows 和 macOS 都会阻止用户运行未签名的应用程序。 应用程序理论上可以不经过代码签名进行分发,但用户需要执行多个高级且手动的步骤来运行这些未签名的程序。

如果你正在开发一款Electron应用,并打算将其打包发布,那你就应该为其添加代码签名。 Electron 生态的工具使得对应用程序进行代码签名变得非常简单,本文档将解释如何在 Windows 和 macOS 上对你的应用进行签名。

签名 & 认证 macOS 版本

准备发布 macOS 应用程序需要两个步骤:首先,应用程序需要进行代码签名。 然后,需要将该应用程序上传到Apple以进行称为 公证 的过程,其中自动化系统将进一步验证 您的应用程序是否未采取任何危害其用户的行为。

若要开始,请确保你满足签名要求并认证你的应用:

  1. 加入 Apple Developer Program(需要缴纳年费)
  2. Download and install Xcode - this requires a computer running macOS
  3. 生成,下载,并安装 签名证书

Electron 的生态系统有利于配置和自由,所以有多种方法让您的应用程序签名和公证。

使用 Electron Forge

如果你正在使用 Electron 最受欢迎的构建工具,创建你的应用程序签名 并经过公证仅需要对配置进行一些添加即可。 Forge 是官方的 Electron 工具的 集合,在hood下使用 @electron/packager @electron/osx-sign @electron/notarize

请参见 Electron Forge 文档中的 签署 macOS 应用程序 指南了解如何配置应用程序详细说明。

使用 Electron Packager

如果你没有使用像 Forge 这样的集成构建流,你可能会使用 @electron/packager,其中包括 @electron/osx-sign@electron/notarize

如果你使用的是 Packager 的 API,你可以传入配置参数,该参数能够同时对应用程序进行签名和公证。 如果下面的示例不能满足你的需求,请查看 @electron/osx-sign@electron/notarize 来获取更多可能的配置选项。

const packager = require('@electron/packager')

packager({
dir: '/path/to/my/app',
osxSign: {},
osxNotarize: {
appleId: 'felix@felix.fun',
appleIdPassword: 'my-apple-id-password'
}
})

对 Mac 应用商店应用程序进行签名

请参阅 Mac App Store 指南

签署windows应用程序

Before you can code sign your application, you need to acquire a code signing certificate. Unlike Apple, Microsoft allows developers to purchase those certificates on the open market. They are usually sold by the same companies also offering HTTPS certificates. Prices vary, so it may be worth your time to shop around. 常见经销商包括:

It is important to call out that since June 2023, Microsoft requires software to be signed with an "extended validation" certificate, also called an "EV code signing certificate". In the past, developers could sign software with a simpler and cheaper certificate called "authenticode code signing certificate" or "software-based OV certificate". These simpler certificates no longer provide benefits: Windows will treat your app as completely unsigned and display the equivalent warning dialogs.

The new EV certificates are required to be stored on a hardware storage module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. In other words, the certificate cannot be simply downloaded onto a CI infrastructure. In practice, those storage modules look like fancy USB thumb drives.

Many certificate providers now offer "cloud-based signing" - the entire signing hardware is in their data center and you can use it to remotely sign code. This approach is popular with Electron maintainers since it makes signing your applications in CI (like GitHub Actions, CircleCI, etc) relatively easy.

At the time of writing, Electron's own apps use DigiCert KeyLocker, but any provider that provides a command line tool for signing files will be compatible with Electron's tooling.

All tools in the Electron ecosystem use @electron/windows-sign and typically expose configuration options through a windowsSign property. You can either use it to sign files directly - or use the same windowsSign configuration across Electron Forge, @electron/packager, electron-winstaller, and electron-wix-msi.

使用 Electron Forge

Electron Forge is the recommended way to sign your app as well as your Squirrel.Windows and WiX MSI installers. Detailed instructions on how to configure your application can be found in the Electron Forge Code Signing Tutorial.

使用 Electron Packager

If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/windows-sign.

If you're using Packager's API, you can pass in configuration that signs your application. If the example below does not meet your needs, please see @electron/windows-sign for the many possible configuration options.

const packager = require('@electron/packager')

packager({
dir: '/path/to/my/app',
windowsSign: {
signWithParams: '--my=custom --parameters',
// If signtool.exe does not work for you, customize!
signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
}
})

使用 electron-winstaller (Squirrel.Windows)

electron-winstaller is a package that can generate Squirrel.Windows installers for your Electron app. This is the tool used under the hood by Electron Forge's Squirrel.Windows Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

const electronInstaller = require('electron-winstaller')
// NB: Use this syntax within an async function, Node does not have support for
// top-level await as of Node 12.
try {
await electronInstaller.createWindowsInstaller({
appDirectory: '/tmp/build/my-app-64',
outputDirectory: '/tmp/build/installer64',
authors: 'My App Inc.',
exe: 'myapp.exe',
windowsSign: {
signWithParams: '--my=custom --parameters',
// If signtool.exe does not work for you, customize!
signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
}
})
console.log('It worked!')
} catch (e) {
console.log(`No dice: ${e.message}`)
}

For full configuration options, check out the electron-winstaller repository!

使用 electron-wix-msi (WiX MSI)

electron-wix-msi is a package that can generate MSI installers for your Electron app. This is the tool used under the hood by Electron Forge's MSI Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

import { MSICreator } from 'electron-wix-msi'

// Step 1: Instantiate the MSICreator
const msiCreator = new MSICreator({
appDirectory: '/path/to/built/app',
description: 'My amazing Kitten simulator',
exe: 'kittens',
name: 'Kittens',
manufacturer: 'Kitten Technologies',
version: '1.1.2',
outputDirectory: '/path/to/output/folder',
windowsSign: {
signWithParams: '--my=custom --parameters',
// If signtool.exe does not work for you, customize!
signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
}
})

// Step 2: Create a .wxs template file
const supportBinaries = await msiCreator.create()

// 🆕 Step 2a: optionally sign support binaries if you
// sign you binaries as part of of your packaging script
for (const binary of supportBinaries) {
// Binaries are the new stub executable and optionally
// the Squirrel auto updater.
await signFile(binary)
}

// Step 3: Compile the template to a .msi file
await msiCreator.compile()

For full configuration options, check out the electron-wix-msi repository!

使用 Electron Builder

Electron Builder 附带一个自定义解决方案,用于签署应用程序。 你可以在这里找到 它的文档

对 Windows 应用商店应用程序进行签名

See the Windows Store Guide.