Skip to main content

代码签名

代码签名是一种安全技术,用于证明应用是由你创建的。你应该对你的应用进行签名,以避免触发任何操作系统的安全警告。

🌐 Code signing is a security technology to certify that an app was created by you. You should sign your application so it does not trigger any operating system security warnings.

macOS Sonoma Gatekeeper warning: The app is damaged

Windows和macOS都会阻止用户运行未签名的应用。分发未进行代码签名的应用是可能的——但为了运行这些应用,用户需要执行多个高级的手动步骤。

🌐 Both Windows and macOS prevent users from running unsigned applications. It is possible to distribute applications without codesigning them - but in order to run them, users need to go through multiple advanced and manual steps.

如果你正在构建一个打算打包和分发的 Electron 应用,它应该进行代码签名。Electron 生态系统的工具可以让你轻松对应用进行代码签名——本档案说明了如何在 Windows 和 macOS 上签署你的应用。

🌐 If you are building an Electron app that you intend to package and distribute, it should be code signed. The Electron ecosystem tooling makes codesigning your apps straightforward - this documentation explains how to sign your apps on both Windows and macOS.

签署和公证 macOS 构建

🌐 Signing & notarizing macOS builds

准备 macOS 应用发布需要两个步骤:首先,应用需要进行代码签名。然后,应用需要上传到苹果进行一个名为 公证(notarization) 的进程,自动化系统将进一步验证你的应用不会对用户造成任何危险。

🌐 Preparing macOS applications for release requires two steps: First, the app needs to be code signed. Then, the app needs to be uploaded to Apple for a process called notarization, where automated systems will further verify that your app isn't doing anything to endanger its users.

要开始该进程,请确保你满足签署和公证应用的要求:

🌐 To start the process, ensure that you fulfill the requirements for signing and notarizing your app:

  1. 注册苹果开发者计划(需要支付年费)
  2. 下载并安装 Xcode - 这需要一台运行 macOS 的电脑
  3. 生成、下载并安装 签名证书

Electron 的生态系统偏向于配置和自由,因此有多种方式可以让你的应用进行签名和公证。

🌐 Electron's ecosystem favors configuration and freedom, so there are multiple ways to get your application signed and notarized.

使用 Electron Forge

🌐 Using Electron Forge

如果你正在使用 Electron 最喜欢的构建工具,让你的应用签名和获取公证需要在配置中进行一些额外设置。Forge 是官方 Electron 工具的集合,底层使用 @electron/packager@electron/osx-sign@electron/notarize

🌐 If you're using Electron's favorite build tool, getting your application signed and notarized requires a few additions to your configuration. Forge is a collection of the official Electron tools, using @electron/packager, @electron/osx-sign, and @electron/notarize under the hood.

有关如何配置你的应用的详细说明,请参阅 Electron Forge 文档中的 签署 macOS 应用 指南。

🌐 Detailed instructions on how to configure your application can be found in the Signing macOS Apps guide in the Electron Forge docs.

使用 Electron 打包器

🌐 Using Electron Packager

如果你没有使用像 Forge 这样的集成构建管道,你很可能正在使用 @electron/packager,其中包括 @electron/osx-sign@electron/notarize

🌐 If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/osx-sign and @electron/notarize.

如果你正在使用 Packager 的 API,你可以传入 同时对你的应用进行签名和公证的配置。如果下面的示例不符合你的需求,请参见 @electron/osx-sign@electron/notarize 了解更多可能的配置选项。

🌐 If you're using Packager's API, you can pass in configuration that both signs and notarizes your application. If the example below does not meet your needs, please see @electron/osx-sign and @electron/notarize for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  osxSign: {},
  osxNotarize: {
    appleId: 'felix@felix.fun',
    appleIdPassword: 'my-apple-id-password'
  }
})

签署 Mac App Store 应用

🌐 Signing Mac App Store applications

Mac 应用商店指南

🌐 See the Mac App Store Guide.

签署 Windows 版本

🌐 Signing Windows builds

使用传统证书

🌐 Using traditional certificates

在你可以对应用进行代码签名之前,你需要获取一个代码签名证书。与苹果不同,微软允许开发者在公开市场上购买这些证书。它们通常由同样提供 HTTPS 证书的公司销售。价格各异,因此值得花时间比较。常见的经销商包括:

🌐 Before you can code sign your application, you need to acquire a code signing certificate. Unlike Apple, Microsoft allows developers to purchase those certificates on the open market. They are usually sold by the same companies also offering HTTPS certificates. Prices vary, so it may be worth your time to shop around. Popular resellers include:

需要指出的是,自2023年6月起,微软要求软件必须使用“扩展验证”证书进行签名,也称为“EV代码签名证书”。过去,开发者可以使用更简单、更便宜的证书签名软件,这类证书被称为“Authenticode代码签名证书”或“基于软件的OV证书”。这些更简单的证书现在不再提供任何好处:Windows会将你的应用视为完全未签名,并显示相应的警告对话框。

🌐 It is important to call out that since June 2023, Microsoft requires software to be signed with an "extended validation" certificate, also called an "EV code signing certificate". In the past, developers could sign software with a simpler and cheaper certificate called "authenticode code signing certificate" or "software-based OV certificate". These simpler certificates no longer provide benefits: Windows will treat your app as completely unsigned and display the equivalent warning dialogs.

新的EV证书需要存储在符合FIPS 140 Level 2、通用准则EAL 4+或同等标准的硬件存储模块中。换句话说,证书不能简单地下载到CI基础设施上。在实际操作中,这些存储模块看起来像是高级的USB闪存驱动器。

🌐 The new EV certificates are required to be stored on a hardware storage module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. In other words, the certificate cannot be simply downloaded onto a CI infrastructure. In practice, those storage modules look like fancy USB thumb drives.

许多证书提供商现在提供“基于云的签名”——整个签名硬件都位于他们的数据中心,你可以使用它远程签署代码。这种方法在 Electron 维护者中很受欢迎,因为它可以让你在 CI(比如 GitHub Actions、CircleCI 等)中相对轻松地为应用签名。

🌐 Many certificate providers now offer "cloud-based signing" - the entire signing hardware is in their data center and you can use it to remotely sign code. This approach is popular with Electron maintainers since it makes signing your applications in CI (like GitHub Actions, CircleCI, etc) relatively easy.

在撰写本文时,Electron 自身的应用使用 DigiCert KeyLocker,但任何提供用于签名文件的命令行工具的供应商都与 Electron 的工具兼容。

🌐 At the time of writing, Electron's own apps use DigiCert KeyLocker, but any provider that provides a command line tool for signing files will be compatible with Electron's tooling.

Electron 生态系统中的所有工具都使用 @electron/windows-sign,并且通常通过 windowsSign 属性提供配置选项。你可以直接使用它来签署文件,或者在 Electron Forge、@electron/packagerelectron-winstallerelectron-wix-msi 中使用相同的 windowsSign 配置。

🌐 All tools in the Electron ecosystem use @electron/windows-sign and typically expose configuration options through a windowsSign property. You can either use it to sign files directly - or use the same windowsSign configuration across Electron Forge, @electron/packager, electron-winstaller, and electron-wix-msi.

使用 Electron Forge

🌐 Using Electron Forge

Electron Forge 是签署你的应用以及 Squirrel.WindowsWiX MSI 安装程序的推荐方式。有关如何配置你的应用的详细说明,请参阅 Electron Forge 代码签名教程

🌐 Electron Forge is the recommended way to sign your app as well as your Squirrel.Windows and WiX MSI installers. Detailed instructions on how to configure your application can be found in the Electron Forge Code Signing Tutorial.

使用 Electron 打包器

🌐 Using Electron Packager

如果你没有使用像 Forge 这样的集成构建管道,你很可能在使用 @electron/packager,它包括 @electron/windows-sign

🌐 If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/windows-sign.

如果你正在使用 Packager 的 API,你可以传入用于签署你的应用的配置。如果下面的示例不能满足你的需求,请参阅 @electron/windows-sign 了解多种可能的配置选项。

🌐 If you're using Packager's API, you can pass in configuration that signs your application. If the example below does not meet your needs, please see @electron/windows-sign for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

使用 Electron w 安装程序(Squirrel.Windows)

🌐 Using electron-winstaller (Squirrel.Windows)

electron-winstaller 是一个可以为你的 Electron 应用生成 Squirrel.Windows 安装程序的工具包。这是 Electron Forge 的 松鼠.Windows 制作器 在后台使用的工具。就像 @electron/packager 一样,它在后台使用 @electron/windows-sign,并支持相同的 windowsSign 选项。

const electronInstaller = require('electron-winstaller')
// NB: Use this syntax within an async function, Node does not have support for
//     top-level await as of Node 12.
try {
  await electronInstaller.createWindowsInstaller({
    appDirectory: '/tmp/build/my-app-64',
    outputDirectory: '/tmp/build/installer64',
    authors: 'My App Inc.',
    exe: 'myapp.exe',
    windowsSign: {
      signWithParams: '--my=custom --parameters',
      // If signtool.exe does not work for you, customize!
      signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
    }
  })
  console.log('It worked!')
} catch (e) {
  console.log(`No dice: ${e.message}`)
}

有关完整的配置选项,请查看 electron-winstaller 仓库!

🌐 For full configuration options, check out the electron-winstaller repository!

使用 Electron-wix-msi (WiX MSI)

🌐 Using electron-wix-msi (WiX MSI)

electron-wix-msi 是一个可以为你的 Electron 应用生成 MSI 安装程序的软件包。这是 Electron Forge 的 MSI 制作器 背后使用的工具。就像 @electron/packager 一样,它在底层使用 @electron/windows-sign 并支持相同的 windowsSign 选项。

import { MSICreator } from 'electron-wix-msi'

// Step 1: Instantiate the MSICreator
const msiCreator = new MSICreator({
  appDirectory: '/path/to/built/app',
  description: 'My amazing Kitten simulator',
  exe: 'kittens',
  name: 'Kittens',
  manufacturer: 'Kitten Technologies',
  version: '1.1.2',
  outputDirectory: '/path/to/output/folder',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

// Step 2: Create a .wxs template file
const supportBinaries = await msiCreator.create()

// 🆕 Step 2a: optionally sign support binaries if you
// sign your binaries as part of your packaging script
for (const binary of supportBinaries) {
  // Binaries are the new stub executable and optionally
  // the Squirrel auto updater.
  await signFile(binary)
}

// Step 3: Compile the template to a .msi file
await msiCreator.compile()

有关完整的配置选项,请查看 electron-wix-msi 仓库!

🌐 For full configuration options, check out the electron-wix-msi repository!

使用 Electron 生成器

🌐 Using Electron Builder

Electron Builder 提供了用于签署应用的自定义解决方案。你可以在这里找到其文档。

🌐 Electron Builder comes with a custom solution for signing your application. You can find its documentation here.

使用 Azure 可信签名

🌐 Using Azure Trusted Signing

Azure 受信任签名 是微软面向 EV 证书的现代云端替代方案。它是 Windows 上代码签名的最便宜选项,并且可以消除 SmartScreen 警告。

截至2025年10月,Azure 受信任签名(Azure Trusted Signing)已向位于美国和加拿大的组织开放,这些组织需具备超过3年的可验证业务历史,同时也向美国和加拿大的个人开发者开放。微软正在寻求使该计划更广泛可用。如果你在稍后时间阅读此内容,可能需要查看资格标准是否已发生变化。

🌐 As of October 2025, Azure Trusted Signing is available to US and Canada-based organizations with 3+ years of verifiable business history and to individual developers in the US and Canada. Microsoft is looking to make the program more widely available. If you're reading this at a later point, it could make sense to check if the eligibility criteria have changed.

使用 jsign 进行 Azure 受信任签名

🌐 Using jsign for Azure Trusted Signing

对于使用 Linux 或 macOS 的开发者,可以使用 jsign 通过 Azure Trusted Signing 对 Windows 应用进行签名。示例用法:

🌐 For developers on Linux or macOS, jsign can be used to sign Windows apps via Azure Trusted Signing. Example usage:

jsign --storetype TRUSTEDSIGNING \
      --keystore https://eus.codesigning.azure.net/ \
      --storepass $AZURE_ACCESS_TOKEN \
      --alias trusted-sign-acct/AppName \
      --tsaurl http://timestamp.acs.microsoft.com/ \
      --tsmode RFC3161 \
      --replace <file>

使用 Electron Forge

🌐 Using Electron Forge

Electron Forge 是签署你的应用以及 Squirrel.WindowsWiX MSI 安装程序的推荐方式。有关 Azure 受信任签名的说明,请参见 这里

🌐 Electron Forge is the recommended way to sign your app as well as your Squirrel.Windows and WiX MSI installers. Instructions for Azure Trusted Signing can be found here.

使用 Electron 生成器

🌐 Using Electron Builder

可以在 这里 找到关于 Azure 受信任签名的 Electron Builder 文档。

🌐 The Electron Builder documentation for Azure Trusted Signing can be found here.

签署 Windows 应用商店应用

🌐 Signing Windows Store applications

Windows 应用商店指南

🌐 See the Windows Store Guide.