Code Signing Your Application | Chapter 6: Packaging and Distributing Your Electron Application | Getting Started with Electron: Building Desktop Apps for Web Developers

Code signing your Electron application is a crucial step in the packaging and distribution process. It's like putting a digital stamp of authenticity on your app, assuring users and operating systems that the application comes from a trusted source and hasn't been tampered with since it was signed. This builds trust, enhances security, and can prevent your app from being flagged as potentially unwanted by antivirus software or operating system security features.

To code sign, you'll need a code signing certificate. This certificate is issued by a trusted Certificate Authority (CA) and verifies your identity or your organization's identity. Obtaining a certificate typically involves a verification process by the CA.

For macOS, code signing is mandatory for distributing applications outside the Mac App Store. The operating system uses this signature to verify the developer and ensure the integrity of the application. On Windows, code signing helps avoid the "Windows protected your PC" SmartScreen filter warning and is essential for a professional presentation.

The primary tool for packaging and distributing Electron applications is electron-builder. It has excellent support for code signing on both macOS and Windows, simplifying the process significantly. You'll typically configure signing options within your package.json or a separate configuration file.

{
  "build": {
    "appId": "com.yourcompany.yourapp",
    "mac": {
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "identity": "Developer ID Application: Your Name (TEAMID)"
    },
    "win": {
      "publisherName": "Your Company Name"
    }
  }
}

On macOS, electron-builder uses the codesign command-line utility. You'll need to specify the identity that matches your code signing certificate. The hardenedRuntime option is highly recommended for enhanced security on macOS.

For Windows, electron-builder will use your .pfx file (which contains your certificate and private key) and the password associated with it to sign your executable and installer. This often involves setting environment variables or passing credentials during the build process.

npm install -g electron-builder
electron-builder --mac --win

When you run electron-builder with the appropriate configurations, it will automatically handle the code signing process for the target platforms. This means your built application and its installer will be digitally signed, providing a layer of trust and security for your end-users.

It's important to keep your code signing certificates secure. Treat your private keys with the utmost care, as their compromise could allow attackers to impersonate you. Store them in a safe location and avoid sharing them unnecessarily.

Here's a simplified overview of the signing process: a developer obtains a certificate from a CA. When packaging, electron-builder uses this certificate and the private key to cryptographically sign the application. When a user downloads and runs the application, the operating system checks the signature against the CA's trusted root and verifies that the application hasn't been altered.

graph TD
A[Developer Obtains Certificate from CA] --> B{Electron Builder}; B -- Uses Certificate & Private Key --> C{Sign Application & Installer}; C --> D[User Downloads & Installs App]; D -- OS Verifies Signature --> E{App Trusted & Secure};

{ "build": { "appId": "com.yourcompany.yourapp", "mac": { "hardenedRuntime": true, "gatekeeperAssess": false, "identity": "Developer ID Application: Your Name (TEAMID)" }, "win": { "publisherName": "Your Company Name" } } }

graph TD A[Developer Obtains Certificate from CA] --> B{Electron Builder}; B -- Uses Certificate & Private Key --> C{Sign Application & Installer}; C --> D[User Downloads & Installs App]; D -- OS Verifies Signature --> E{App Trusted & Secure};