Why and How to Sign Your Electron App: Boost Security with Code Signing

What Is Code Signing

Code signing is a form of digital signature used to confirm the identity of a software publisher and ensure that the software has not been altered since it was signed. It allows users to verify the publisher’s identity and the integrity of the software.

Why Sign Your Application

Unsigned software is often flagged as unsafe by operating systems, resulting in warning dialogs that hurt user experience. Without a signature, the source and integrity of the software cannot be proven, making it vulnerable to malicious replacement.

Files Typically Signed

Executable files : applications, installers, drivers, etc., to guarantee integrity and trusted origin.

Dynamic Link Libraries (DLL) : shared libraries that need protection from unauthorized changes.

Installers : packages such as Setup.exe that benefit from user trust.

Source code files : JavaScript, Java, C++, etc., to ensure code has not been tampered with.

Configuration files : metadata and settings that must remain unchanged.

Types of Code Signing Certificates

Certificates are issued by trusted Certificate Authorities (CAs). The main brands in China include DigiCert, GlobalSign, Sectigo, Entrust, and Certum.

Two common validation levels exist:

OV (Organization Validation) : verifies the organization’s legal existence, providing a moderate level of trust.

EV (Extended Validation) : involves stricter verification, including additional legal and organizational checks, resulting in higher trust and more prominent security prompts for users.

Pricing and Availability

Most developers purchase certificates through authorized resellers rather than directly from CAs. EV certificates typically cost 3,000–5,000 CNY per year, while OV certificates are cheaper. Some resellers offer “Pro” versions with faster delivery.

How to Perform Code Signing

Follow these steps:

Obtain a certificate : Purchase a .pfx file or a USB token containing the certificate.

Choose a signing tool : Use signtool directly or rely on electron-builder , which bundles the tool. For automation, some resellers provide wrappers based on signtool .

Sign during the Electron build : Execute signing after the build completes.

Example electron-builder configuration:

<code>win: {
        "target": ["nsis"],
        "timeStampServer": "http://timestamp.digicert.com",
        "icon": iconPath,
        "artifactName": "61drawlive_student_${version}.${ext}",
        "verifyUpdateCodeSignature": false,
        "requestedExecutionLevel": "highestAvailable",
        "sign": path.join(rootPath, "./script/winSign.js"),
        "signDlls": true,
}
</code>

EV signing script (winSign.js):

<code>const { execSync } = require('child_process')
const path = require('path')
const rootPath = path.resolve(__dirname, '../')
async function sign(config) {
  console.log(JSON.stringify(config))
  execSync(`${path.join(rootPath, './script/wosigncodecmd.exe')} sign /tp 证书指纹 /p ukey密码 /hide /c /dig sha256 /tr ${config.options.timeStampServer} /file ${config.path}`)
}
module.exports = sign
</code>

OV signing script (winSign.js):

<code>const { execSync } = require('child_process')
const envConfig = require('dotenv').config().parsed
async function sign (config) {
  console.log(JSON.stringify(config))
  if (config.options.signingHashAlgorithms.includes('sha1')) {
    execSync(`signtool sign /v /debug /f ./src/nsis/certificate/cer-sha1.pfx /p ${envConfig.WIN_CSC_PASSWORD} /t ${config.options.timeStampServer} ${config.path}`)
  }
  execSync(`signtool sign /as /v /debug /f ./src/nsis/certificate/globalsignEV.pfx /fd SHA256 /p ${envConfig.WIN_CSC_PASSWORD} /tr ${config.options.rfc3161TimeStampServer} /td SHA256 ${config.path}`)
}
module.exports = sign
</code>

Note that code signing certificates, like web certificates, have an expiration date. Expired certificates do not affect already signed files because the signature includes a timestamp.

Conclusion

Signing your Electron application enhances trust, protects users, and improves the overall credibility of your software. Implement code signing now to ensure your app’s integrity and security.