代码签名
代码签名是一种用来证明应用是由你创建的一种安全技术。
在macOS系统中,系统可以区分开应用的变更是偶然产生的,还是被恶意代码生成的。
在Windows系统中,如果程序没有代码签名证书,或者代码签名授信级别较低时,系统同样会将其列为可信程序,只是当用户运行该应用时,系统会显示安全提示。 确立授信级别的过程比较费时,因此最好提早开始着手代码签名的工作。
即使开发者可以发布一个未签名的应用程序,但是我们并不建议这样做。 下面就是macOS系统用户,在运行没有签名的应用程序时遇到的情形:
应用无法打开,因为它来自身份不明的开发者
If you are building an Electron app that you intend to package and distribute, it should be code signed. The Mac and Windows app stores do not allow unsigned apps.
Code Signing
Code signing is a security technology that you use to certify that an app was
created by you.
On macOS the system can detect any change to the app, whether the change is
introduced accidentally or by malicious code.
On Windows the system assigns a trust level to your code signing certificate which
if you don't have, or if your trust level is low will cause security dialogs to
appear when users start using your application. Trust level builds over time
so it's better to start code signing as early as possible.
While it is possible to distribute unsigned apps, it is not recommended.
For example, here's what macOS users see when attempting to start an unsigned app:
App can't be opened because it is from an unidentified developer
If you are building an Electron app that you intend to package and distribute,
it should be code signed. The Mac and Windows app stores do not allow unsigned
apps.
签署 macOS 应用程序
在签署macOS应用程序前,你需要完成以下事项:
- 加入 Apple Developer Program(需要缴纳年费)
- 下载并安装 Xcode
- 生成,下载,然后安装签名证书(signing certificates)
你可以运用许多方式来签署你的应用:
- [
electron-osx-sign],一个独立的macOS签名工具。 - [
electron-packager] 打包electron-osx-sign. 如果你正在使用electron-packager,那么在签署包文件时请传--osx-sign=true参数。- [
electron-forge],它在内部使用electron-packager,你可以在forge配置中设置osxSign配置项。
- [
- [
electron-builder] 内置代码签名功能。 可参考electron.build/code-signing
更多信息,参考Mac App Store Submission Guide.
Signing macOS builds
Before signing macOS builds, you must do the following:
- Enroll in the Apple Developer Program (requires an annual fee)
- Download and install Xcode
- Generate, download, and install signing certificates
There are a number of tools for signing your packaged app:
electron-osx-signis a standalone tool for signing macOS packages.electron-packagerbundleselectron-osx-sign. If you're usingelectron-packager,
pass the--osx-sign=trueflag to sign your build.electron-forgeuseselectron-packagerinternally, you can set theosxSignoption
in your forge config.
electron-builderhas built-in code-signing capabilities. See electron.build/code-signing
For more info, see the Mac App Store Submission Guide.
签署 Windows 应用程序
在签署 Windows 应用程序前,你需要完成以下事项:
- Get a Windows Authenticode code signing certificate (requires an annual fee)
- 安装Visual Studio 2015/2017(来获取签名功能)
You can get a code signing certificate from a lot of resellers. Prices vary, so it may be worth your time to shop around. Popular resellers include:
- digicert
- Comodo
- GoDaddy
- 可以根据自身需求,选择其它的签名分销商。
你可以运用许多方式来签署你的应用:
- [
electron-winstaller],将会生成一个带有签名的windows安装包。 - [
electron-forge] 可以签署Squirrel.Windows 或MSI 类型的安装包 - [
electron-builder] 能签署一些windows安装包。
Signing Windows builds
Before signing Windows builds, you must do the following:
- Get a Windows Authenticode code signing certificate (requires an annual fee)
- Install Visual Studio 2015/2017 (to get the signing utility)
You can get a code signing certificate from a lot of resellers. Prices vary, so it may be worth your time to shop around. Popular resellers include:
- digicert
- Comodo
- GoDaddy
- Amongst others, please shop around to find one that suits your needs, Google is your friend :)
There are a number of tools for signing your packaged app:
electron-winstallerwill generate an installer for windows and sign it for youelectron-forgecan sign installers it generates through the Squirrel.Windows or MSI targets.electron-buildercan sign some of its windows targets