当前位置: 首页 > 文档资料 > Electron 中文文档 >

代码签名

优质
小牛编辑
187浏览
2023-12-01

代码签名是一种用来证明应用是由你创建的一种安全技术。

在macOS系统中,系统可以区分开应用的变更是偶然产生的,还是被恶意代码生成的。

在Windows系统中,如果程序没有代码签名证书,或者代码签名授信级别较低时,系统同样会将其列为可信程序,只是当用户运行该应用时,系统会显示安全提示。 确立授信级别的过程比较费时,因此最好提早开始着手代码签名的工作。

即使开发者可以发布一个未签名的应用程序,但是我们并不建议这样做。 下面就是macOS系统用户,在运行没有签名的应用程序时遇到的情形:

在macOS系统中,会对未签名的应用提出警告

应用无法打开,因为它来自身份不明的开发者

If you are building an Electron app that you intend to package and distribute, it should be code signed. The Mac and Windows app stores do not allow unsigned apps.

Code Signing

Code signing is a security technology that you use to certify that an app was
created by you.

On macOS the system can detect any change to the app, whether the change is
introduced accidentally or by malicious code.

On Windows the system assigns a trust level to your code signing certificate which
if you don't have, or if your trust level is low will cause security dialogs to
appear when users start using your application. Trust level builds over time
so it's better to start code signing as early as possible.

While it is possible to distribute unsigned apps, it is not recommended.
For example, here's what macOS users see when attempting to start an unsigned app:

unsigned app warning on macOS

App can't be opened because it is from an unidentified developer

If you are building an Electron app that you intend to package and distribute,
it should be code signed. The Mac and Windows app stores do not allow unsigned
apps.

签署 macOS 应用程序

在签署macOS应用程序前,你需要完成以下事项:

  1. 加入 Apple Developer Program(需要缴纳年费)
  2. 下载并安装 Xcode
  3. 生成,下载,然后安装签名证书(signing certificates)

你可以运用许多方式来签署你的应用:

  • [electron-osx-sign],一个独立的macOS签名工具。
  • [electron-packager] 打包 electron-osx-sign. 如果你正在使用 electron-packager,那么在签署包文件时请传--osx-sign=true参数。
    • [electron-forge],它在内部使用electron-packager,你可以在forge配置中设置 osxSign配置项。
  • [electron-builder] 内置代码签名功能。 可参考electron.build/code-signing

更多信息,参考Mac App Store Submission Guide.

Signing macOS builds

Before signing macOS builds, you must do the following:

  1. Enroll in the Apple Developer Program (requires an annual fee)
  2. Download and install Xcode
  3. Generate, download, and install signing certificates

There are a number of tools for signing your packaged app:

  • electron-osx-sign is a standalone tool for signing macOS packages.
  • electron-packager bundles electron-osx-sign. If you're using electron-packager,
    pass the --osx-sign=true flag to sign your build.

    • electron-forge uses electron-packager internally, you can set the osxSign option
      in your forge config.
  • electron-builder has built-in code-signing capabilities. See electron.build/code-signing

For more info, see the Mac App Store Submission Guide.

签署 Windows 应用程序

在签署 Windows 应用程序前,你需要完成以下事项:

  1. Get a Windows Authenticode code signing certificate (requires an annual fee)
  2. 安装Visual Studio 2015/2017(来获取签名功能)

You can get a code signing certificate from a lot of resellers. Prices vary, so it may be worth your time to shop around. Popular resellers include:

  • digicert
  • Comodo
  • GoDaddy
  • 可以根据自身需求,选择其它的签名分销商。

你可以运用许多方式来签署你的应用:

  • [electron-winstaller],将会生成一个带有签名的windows安装包。
  • [electron-forge] 可以签署Squirrel.Windows 或MSI 类型的安装包
  • [electron-builder] 能签署一些windows安装包。

Signing Windows builds

Before signing Windows builds, you must do the following:

  1. Get a Windows Authenticode code signing certificate (requires an annual fee)
  2. Install Visual Studio 2015/2017 (to get the signing utility)

You can get a code signing certificate from a lot of resellers. Prices vary, so it may be worth your time to shop around. Popular resellers include:

  • digicert
  • Comodo
  • GoDaddy
  • Amongst others, please shop around to find one that suits your needs, Google is your friend :)

There are a number of tools for signing your packaged app:

  • electron-winstaller will generate an installer for windows and sign it for you
  • electron-forge can sign installers it generates through the Squirrel.Windows or MSI targets.
  • electron-builder can sign some of its windows targets