DEV Community

Janos Vajda
Janos Vajda

Posted on

Code signing of Electron app for Windows

We have an Electron project at my current workplace, and as a team leader of this project, I am responsible for the whole deployment process, which contains the code signing as well.

I want to share my experience in this short article as It might help other developers.

Getting a token.

If you or your company want to sign their application, you first need to buy a signing certificate token. There are many companies in this business, and they can manage the whole process and provide you with a token. They have very different prices and services quality, but I would instead not mention a company name here as this article is not an advert, but I can share some information about the process.
The ordering procedure is quite simple, but the delivery can take longer. We waited about a month after the ordering, but everything was ok. The token is a simple USB pen drive. It should be stored in a safe place as without it signing is not possible, and you will have to ask for a replacement, and this can take a month.

Tools we can use.

There is a Windows 32 and 64-bit version, and also Mac and Linux version. However, I tried it only on Windows, so I do not know how they work under other OS.

  • Digicert Certificate Utility - You can download it from the official website:

https://www.digicert.com/kb/util/ssl-certificate-installation-using-digicert-utility-for-microsoft-servers.htm

Code signing process

  1. Install SafeNet Authentication Client Tools
  2. Download Digicert Certificate Utility. This is one single .exe file, so It has no installer. I copied it to my Documents directory for this example, but You can copy it to any directory.
  3. Open the SafeNet Authentication Client Tools from the Start menu, and follow the steps in screenshots.

Step 1 click on the gear icon.

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Click on the Finish button, and it imports the certificate.

Now open Digicert Certificate Utility (single .exe file - DigiCertUtil.exe) that was copied in your Documents directory, and follow these steps.

Step 1

Step 2

Now You have a .cert file. You can use this file for creating a .pfx file that Electron can use for signing your application.

Open the console and run this command:

openssl pkcs12 -export -in TestLtd.cer -out TestLtd.pfx -nokeys -password pass:YOUR_TOKEN_PASSWORD
Enter fullscreen mode Exit fullscreen mode

TestLtd.cer is the .cer file you exported by Digicert Certificate Utility

TestLtd.pfx is the name of the PFX file.

YOUR_TOKEN_PASSWORD is that password that your certificate company provided.

Electron app's config changes

That's all. After this you have a PFX file. Now You can add the certificate to your Electron app's config. Your config can be very different so I can give you just an example. My Electron app's config file is something like this:

 win: {
          icon: "public/icons/icon.ico",
          target: "nsis",
          certificateSubjectName: 'TestLtd',
          publisherName: 'Test Ltd',
          signingHashAlgorithms: ['sha256'], //sha1 used by only Windows 7, here should be sha256, sha1 breaks win10 auto update, do not use it here without testing auto update!
          verifyUpdateCodeSignature: true,
          signAndEditExecutable: true,
          certificateFile: process.env.CERTIFICATE_PFX_FILE_PATH,
          certificatePassword: process.env.CERTIFICATE_PASSWORD
        },
Enter fullscreen mode Exit fullscreen mode

I use the Vue CLI Plugin Electron Builder, so this config is in the vue.config.js, but Your config and tools might differ.

In my project the process.env.CERTIFICATE_PFX_FILE_PATH and the process.env.CERTIFICATE_PASSWORD variables are coming from an .env file, of course as these never should commit to Git.

My process.env.CERTIFICATE_PFX_FILE_PATH has this value in my .en file:

CERTIFICATE_PFX_FILE_PATH = "C:\\Users\\janos\\Documents\\TestLtd.pfx"
Enter fullscreen mode Exit fullscreen mode

The process.env.CERTIFICATE_PASSWORD value is super-secret, of course. However, it is the same password that you used in OpenSSL command. The token provider company provided this.

Happy coding and signing. :) I hope this article can help You if you face any issue in the signing process of the Electron app under Windows.

Discussion (2)

Collapse
mliakos profile image
Emmanouil Liakos • Edited on

You need to export the Private Key too or you are going to face errors while signing the build.

Collapse
sealingp profile image
seaZhang

one question
tokens empty after open safenet authentication client tolls "advance setting"
how can i get it ?