We have an Electron project at my current workplace, and as a team leader of this project, I am responsible for the whole deployment process, which contains the code signing as well.
I want to share my experience in this short article as It might help other developers.
Getting a token.
If you or your company want to sign their application, you first need to buy a signing certificate token. There are many companies in this business, and they can manage the whole process and provide you with a token. They have very different prices and services quality, but I would instead not mention a company name here as this article is not an advert, but I can share some information about the process.
The ordering procedure is quite simple, but the delivery can take longer. We waited about a month after the ordering, but everything was ok. The token is a simple USB pen drive. It should be stored in a safe place as without it signing is not possible, and you will have to ask for a replacement, and this can take a month.
Tools we can use.
- SafeNet Authentication Client Tools - You can download it from its official website: https://knowledge.digicert.com/generalinformation/INFO1982.html
There is a Windows 32 and 64-bit version, and also Mac and Linux version. However, I tried it only on Windows, so I do not know how they work under other OS.
- Digicert Certificate Utility - You can download it from the official website:
OpenSSL - this is for generating PFX files. If you do not have it, You can download it from here: https://kb.firedaemon.com/support/solutions/articles/4000121705
Some console. You can use the default Windows command line, which is good enough for generating the PFX file.
Code signing process
- Install SafeNet Authentication Client Tools
- Download Digicert Certificate Utility. This is one single .exe file, so It has no installer. I copied it to my Documents directory for this example, but You can copy it to any directory.
- Open the SafeNet Authentication Client Tools from the Start menu, and follow the steps in screenshots.
Click on the Finish button, and it imports the certificate.
Now open Digicert Certificate Utility (single .exe file - DigiCertUtil.exe) that was copied in your Documents directory, and follow these steps.
Now You have a .cert file. You can use this file for creating a .pfx file that Electron can use for signing your application.
Open the console and run this command:
openssl pkcs12 -export -in TestLtd.cer -out TestLtd.pfx -nokeys -password pass:YOUR_TOKEN_PASSWORD
TestLtd.cer is the .cer file you exported by Digicert Certificate Utility
TestLtd.pfx is the name of the PFX file.
YOUR_TOKEN_PASSWORD is that password that your certificate company provided.
Electron app's config changes
That's all. After this you have a PFX file. Now You can add the certificate to your Electron app's config. Your config can be very different so I can give you just an example. My Electron app's config file is something like this:
win: {
icon: "public/icons/icon.ico",
target: "nsis",
certificateSubjectName: 'TestLtd',
publisherName: 'Test Ltd',
signingHashAlgorithms: ['sha256'], //sha1 used by only Windows 7, here should be sha256, sha1 breaks win10 auto update, do not use it here without testing auto update!
verifyUpdateCodeSignature: true,
signAndEditExecutable: true,
certificateFile: process.env.CERTIFICATE_PFX_FILE_PATH,
certificatePassword: process.env.CERTIFICATE_PASSWORD
},
I use the Vue CLI Plugin Electron Builder, so this config is in the vue.config.js, but Your config and tools might differ.
In my project the process.env.CERTIFICATE_PFX_FILE_PATH and the process.env.CERTIFICATE_PASSWORD variables are coming from an .env file, of course as these never should commit to Git.
My process.env.CERTIFICATE_PFX_FILE_PATH has this value in my .en file:
CERTIFICATE_PFX_FILE_PATH = "C:\\Users\\janos\\Documents\\TestLtd.pfx"
The process.env.CERTIFICATE_PASSWORD value is super-secret, of course. However, it is the same password that you used in OpenSSL command. The token provider company provided this.
Happy coding and signing. :) I hope this article can help You if you face any issue in the signing process of the Electron app under Windows.
Top comments (2)
You need to export the Private Key too or you are going to face errors while signing the build.
one question
tokens empty after open safenet authentication client tolls "advance setting"
how can i get it ?