Signing Windows App/Installer


#1

I’ve just gotten my OSX build signed and now it’s time to start thinking about Windows. I haven’t used Windows much in years and solid information on this topic seems harder to come by. I’m not even certain whether I need to sign the app itself or the setup.exe file.

I run my builds on OSX using the following scripts (snippet from my package.json file):

"scripts": {
    "clean": "rm -rf dist",
    "clean:osx": "rm -rf dist/osx",
    "clean:win": "rm -rf dist/win",
    "build:osx": "npm run clean:osx && electron-packager ./app \"My App\" --ignore=node_modules/.bin --out=dist/osx/ --platform=darwin --arch=x64 --version=0.36.12 --icon=\"build/assets/osx/My App.icns\" --prune --app-bundle-id=\"com.mycompany.myapp\" --app-version=$(node -e 'console.log(require(\"./app/package.json\").version)') --osx-sign",
    "build:win": "npm run clean:win && electron-packager ./app \"My App\" --ignore=node_modules/.bin --out=dist/win/ --platform=win32 --arch=ia32 --version=0.36.12 --icon=\"build/assets/win/My App.ico\" --prune --app-version=$(node -e 'console.log(require(\"./app/package.json\").version)')",
    "pack:osx": "npm run build:osx && electron-builder \"dist/osx/My App-darwin-x64/My App.app\" --platform=osx --out=dist/osx/ --config=build/config.json",
    "pack:win": "npm run build:win && electron-builder \"dist/win/My App-win32-ia32\" --platform=win --out=dist/win/ --config=build/config.json"
}

Adding the --osx-sign flag for OSX was simple enough, but I don’t see any clear (to me) instructions for signing windows. It seems like Windows signing is supported, but I haven’t found any details that are clear to me.

I guess my questions boil down to these:

  1. Am i signing the app (electron-packager) or the installer (electron-builder)?
  2. Assuming I have the certificate/key, how do i trigger either the builder or the packager to sign the Windows app/installer?

It’s worth noting that we’ve been trying to release this app for a long time. The packages I’m using are old. In some cases upgrading requires a lot of work I’d really prefer to do for the next release.

electron-packager@6.0.2
electron-builder@2.11.0

Thanks for any insight.


#2

Having same problem and no help from the community!


#3

having the same issue. did you manage to solve it?


#4

My apologies, guys. I should have updated this topic long ago. Since there was no activity here, I created an issue on the repository (https://github.com/electron-userland/electron-builder/issues/705) and another ticket somewhere that I can’t find right now.

The bottom line suggestion was to upgrade to the latest version of builder if at all possible. Although there’s a workaround using signtool:

Version 2 uses old variant of NSIS and doesn’t support code signing at all.

I went ahead and updated electron-builder (which removes the need for electron-packager) and got everything signed reasonably quickly.

I hope that helps. I’ll be happy to share my package.json if that would be helpful.


#5

Yes, I am actually stuck in the same situation. Do you mind showing your package.json scripts please


#6

Sure. Here you go:

"scripts": {
    "clean": "rm -rf dist",
    "clean:mac": "rm -rf dist/mac",
    "clean:win": "rm -rf dist/win",
    "dist:mac": "npm run clean:mac && build --mac",
    "dist:win": "export CSC_LINK=file:///tmp/my-win-developer-cert-win.p12; read -s -p \"Certificate Password: \" certPassword; export CSC_KEY_PASSWORD=\"$certPassword\"; npm run clean:win && build --win",
    "dist": "npm run clean && npm run dist:mac && npm run dist:win"
}

Some details:

  1. My windows certificate has a password. dist:win script prompts the user to enter that password and then uses what they enter.
  2. The Mac developer cert is in my keychain, so it gets picked up automatically.

Hope this helps.


#7

I probably should’ve included my build section from that same file as well:

"build": {
  "appId": "com.my.app",
  "asar": false,
  "category": "public.app-category.utilities",
  "win": {
    "target": "nsis"
  },
  "nsis": {
    "oneClick": false,
    "perMachine": true,
    "allowElevation": true,
    "installerHeader": "build/installerHeader.bmp",
    "installerHeaderIcon": "build/installerHeaderIcon.ico"
  },
  "mac": {
    "target": "dmg"
  },
  "dmg": {
    "icon": "build/dmg.icns",
    "contents": [
      {
        "x": 345,
        "y": 150,
        "type": "link",
        "path": "/Applications"
      },
      {
        "x": 125,
        "y": 150,
        "type": "file"
      }
    ]
  }
},

#8

@robwilkerson
Thank you for your solution, have you considered signing the dll’s included in the electron-packager created application? We pass the output of electron-packager to electron-winstaller and I believe that signing is required after both steps.

After electron-packager finishes:

  • d3dcompiler_47.dll and xinput1_3.dll are signed by Microsoft

However, so we have added a step to sign these

  • ffmpeg, libEGL.dll, and node.dll are not signed

More problematic are the files in resources/*.asar – they can’t have an embedded signature, so they have to be signed with a detached signature.

I have created https://github.com/electron-userland/electron-packager/issues/656 to track this issue.


#9

What Windows certification are you using guys?
Many of our users complain on Antivirus problems…

Our certificate is from DigiCert.