Skip to main content

代码签名

代码签名是一种安全技术,用于证明应用是由你创建的。你应该对你的应用进行签名,以便它不会触发任何操作系统安全警告。

¥Code signing is a security technology to certify that an app was created by you. You should sign your application so it does not trigger any operating system security warnings.

macOS Sonoma Gatekeeper warning: The app is damaged

Windows 和 macOS 都阻止用户运行未签名的应用。无需共同设计即可分发应用 - 但为了运行它们,用户需要执行多个高级和手动步骤来运行它们。

¥Both Windows and macOS prevent users from running unsigned applications. It is possible to distribute applications without codesigning them - but in order to run them, users need to go through multiple advanced and manual steps to run them.

如果你正在构建打算打包和分发的 Electron 应用,则应该对其进行代码签名。Electron 生态系统工具使你的应用的协同设计变得简单 - 本文档介绍了如何在 Windows 和 macOS 上对你的应用进行签名。

¥If you are building an Electron app that you intend to package and distribute, it should be code signed. The Electron ecosystem tooling makes codesigning your apps straightforward - this documentation explains how sign your apps on both Windows and macOS.

签署和公证 macOS 构建

¥Signing & notarizing macOS builds

准备发布 macOS 应用需要两个步骤:首先,应用需要进行代码签名。然后,该应用需要上传到苹果进行一个称为公证的过程,其中自动化系统将进一步验证你的应用没有做任何危害其用户的事情。

¥Preparing macOS applications for release requires two steps: First, the app needs to be code signed. Then, the app needs to be uploaded to Apple for a process called notarization, where automated systems will further verify that your app isn't doing anything to endanger its users.

要开始此进程,请确保你满足对应用进行签名和公证的要求:

¥To start the process, ensure that you fulfill the requirements for signing and notarizing your app:

  1. 报名参加 苹果开发者计划(需要缴纳年费)

    ¥Enroll in the Apple Developer Program (requires an annual fee)

  2. 下载并安装 Xcode - 这需要一台运行 macOS 的计算机

    ¥Download and install Xcode - this requires a computer running macOS

  3. 生成、下载并安装 签署证书

    ¥Generate, download, and install signing certificates

Electron 的生态系统有利于配置和自由,因此有多种方法可以让你的应用签名和公证。

¥Electron's ecosystem favors configuration and freedom, so there are multiple ways to get your application signed and notarized.

使用 Electron Forge

¥Using Electron Forge

如果你使用 Electron 最喜欢的构建工具,那么对你的应用进行签名和公证需要对你的配置进行一些添加。锻造 是官方 Electron 工具的集合,在底层使用了 @electron/packager@electron/osx-sign@electron/notarize

¥If you're using Electron's favorite build tool, getting your application signed and notarized requires a few additions to your configuration. Forge is a collection of the official Electron tools, using @electron/packager, @electron/osx-sign, and @electron/notarize under the hood.

有关如何配置应用的详细说明,请参阅 Electron Forge 文档中的 签署 macOS 应用 指南。

¥Detailed instructions on how to configure your application can be found in the Signing macOS Apps guide in the Electron Forge docs.

使用 Electron 打包器

¥Using Electron Packager

如果你没有使用像 Forge 这样的集成构建管道,你可能会使用 @electron/packager,其中包括 @electron/osx-sign@electron/notarize

¥If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/osx-sign and @electron/notarize.

如果你使用 Packager 的 API,则可以传递 在配置中对你的应用进行签名和公证。如果下面的示例不能满足你的需求,请参阅 @electron/osx-sign@electron/notarize 了解多种可能的配置选项。

¥If you're using Packager's API, you can pass in configuration that both signs and notarizes your application. If the example below does not meet your needs, please see @electron/osx-sign and @electron/notarize for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  osxSign: {},
  osxNotarize: {
    appleId: 'felix@felix.fun',
    appleIdPassword: 'my-apple-id-password'
  }
})

签署 Mac App Store 应用

¥Signing Mac App Store applications

参见 Mac 应用商店指南

¥See the Mac App Store Guide.

签署 Windows 版本

¥Signing Windows builds

在对应用进行代码签名之前,你需要获取代码签名证书。与苹果不同的是,微软允许开发者在公开市场上购买这些证书。它们通常由也提供 HTTPS 证书的同一家公司出售。价格各不相同,因此值得你花时间货比三家。受欢迎的经销商包括:

¥Before you can code sign your application, you need to acquire a code signing certificate. Unlike Apple, Microsoft allows developers to purchase those certificates on the open market. They are usually sold by the same companies also offering HTTPS certificates. Prices vary, so it may be worth your time to shop around. Popular resellers include:

值得注意的是,自 2023 年 6 月起,Microsoft 要求软件必须使用 "扩展验证" 证书(也称为 "EV 代码签名证书")进行签名。过去,开发者可以使用更简单且更便宜的证书(称为 "authenticode 代码签名证书" 或 "基于软件的 OV 证书")对软件进行签名。这些更简单的证书不再提供好处:Windows 会将你的应用视为完全未签名并显示等效的警告对话框。

¥It is important to call out that since June 2023, Microsoft requires software to be signed with an "extended validation" certificate, also called an "EV code signing certificate". In the past, developers could sign software with a simpler and cheaper certificate called "authenticode code signing certificate" or "software-based OV certificate". These simpler certificates no longer provide benefits: Windows will treat your app as completely unsigned and display the equivalent warning dialogs.

新的 EV 证书需要存储在符合 FIPS 140 2 级、通用标准 EAL 4+ 或同等标准的硬件存储模块上。换句话说,证书不能简单地下载到 CI 基础设施上。实际上,这些存储模块看起来就像精美的 USB 拇指驱动器。

¥The new EV certificates are required to be stored on a hardware storage module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. In other words, the certificate cannot be simply downloaded onto a CI infrastructure. In practice, those storage modules look like fancy USB thumb drives.

许多证书提供商现在都提供 "基于云的签名" - 整个签名硬件都位于他们的数据中心,你可以使用它来远程签名代码。这种方法很受 Electron 维护者的欢迎,因为它使得在 CI 中签署应用(如 GitHub Actions、CircleCI 等)相对容易。

¥Many certificate providers now offer "cloud-based signing" - the entire signing hardware is in their data center and you can use it to remotely sign code. This approach is popular with Electron maintainers since it makes signing your applications in CI (like GitHub Actions, CircleCI, etc) relatively easy.

在撰写本文时,Electron 自己的应用使用 DigiCert 密钥锁,但任何提供用于签名文件的命令行工具的提供商都将与 Electron 的工具兼容。

¥At the time of writing, Electron's own apps use DigiCert KeyLocker, but any provider that provides a command line tool for signing files will be compatible with Electron's tooling.

Electron 生态系统中的所有工具都使用 @electron/windows-sign,并且通常通过 windowsSign 属性公开配置选项。你可以使用它直接对文件进行签名 - 或者在 Electron Forge、@electron/packagerelectron-winstallerelectron-wix-msi 中使用相同的 windowsSign 配置。

¥All tools in the Electron ecosystem use @electron/windows-sign and typically expose configuration options through a windowsSign property. You can either use it to sign files directly - or use the same windowsSign configuration across Electron Forge, @electron/packager, electron-winstaller, and electron-wix-msi.

使用 Electron Forge

¥Using Electron Forge

Electron Forge 是对你的应用以及 Squirrel.WindowsWiX MSI 安装程序进行签名的推荐方式。有关如何配置应用的详细说明可以在 Electron Forge 代码签名教程

¥Electron Forge is the recommended way to sign your app as well as your Squirrel.Windows and WiX MSI installers. Detailed instructions on how to configure your application can be found in the Electron Forge Code Signing Tutorial.

使用 Electron 打包器

¥Using Electron Packager

如果你没有使用像 Forge 这样的集成构建管道,你可能会使用 @electron/packager,其中包括 @electron/windows-sign

¥If you're not using an integrated build pipeline like Forge, you are likely using @electron/packager, which includes @electron/windows-sign.

如果你使用 Packager 的 API,则可以传递 在对你的应用进行签名的配置中。如果下面的示例不能满足你的需求,请参阅 @electron/windows-sign 了解许多可能的配置选项。

¥If you're using Packager's API, you can pass in configuration that signs your application. If the example below does not meet your needs, please see @electron/windows-sign for the many possible configuration options.

const packager = require('@electron/packager')

packager({
  dir: '/path/to/my/app',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

使用 Electron w 安装程序(Squirrel.Windows)

¥Using electron-winstaller (Squirrel.Windows)

electron-winstaller 是一个可以为你的 Electron 应用生成 Squirrel.Windows 安装程序的包。这是 Electron Forge 的 Squirrel.Windows Maker 在后台使用的工具。就像 @electron/packager 一样,它在底层使用 @electron/windows-sign 并支持相同的 windowsSign 选项。

¥electron-winstaller is a package that can generate Squirrel.Windows installers for your Electron app. This is the tool used under the hood by Electron Forge's Squirrel.Windows Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

const electronInstaller = require('electron-winstaller')
// NB: Use this syntax within an async function, Node does not have support for
//     top-level await as of Node 12.
try {
  await electronInstaller.createWindowsInstaller({
    appDirectory: '/tmp/build/my-app-64',
    outputDirectory: '/tmp/build/installer64',
    authors: 'My App Inc.',
    exe: 'myapp.exe',
    windowsSign: {
      signWithParams: '--my=custom --parameters',
      // If signtool.exe does not work for you, customize!
      signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
    }
  })
  console.log('It worked!')
} catch (e) {
  console.log(`No dice: ${e.message}`)
}

有关完整的配置选项,请查看 electron-winstaller 存储库!

¥For full configuration options, check out the electron-winstaller repository!

使用 Electron-wix-msi (WiX MSI)

¥Using electron-wix-msi (WiX MSI)

electron-wix-msi 是一个可以为你的 Electron 应用生成 MSI 安装程序的软件包。这是 Electron Forge 的 微星制造商 在后台使用的工具。就像 @electron/packager 一样,它在底层使用 @electron/windows-sign 并支持相同的 windowsSign 选项。

¥electron-wix-msi is a package that can generate MSI installers for your Electron app. This is the tool used under the hood by Electron Forge's MSI Maker. Just like @electron/packager, it uses @electron/windows-sign under the hood and supports the same windowsSign options.

import { MSICreator } from 'electron-wix-msi'

// Step 1: Instantiate the MSICreator
const msiCreator = new MSICreator({
  appDirectory: '/path/to/built/app',
  description: 'My amazing Kitten simulator',
  exe: 'kittens',
  name: 'Kittens',
  manufacturer: 'Kitten Technologies',
  version: '1.1.2',
  outputDirectory: '/path/to/output/folder',
  windowsSign: {
    signWithParams: '--my=custom --parameters',
    // If signtool.exe does not work for you, customize!
    signToolPath: 'C:\\Path\\To\\my-custom-tool.exe'
  }
})

// Step 2: Create a .wxs template file
const supportBinaries = await msiCreator.create()

// 🆕 Step 2a: optionally sign support binaries if you
// sign you binaries as part of of your packaging script
for (const binary of supportBinaries) {
  // Binaries are the new stub executable and optionally
  // the Squirrel auto updater.
  await signFile(binary)
}

// Step 3: Compile the template to a .msi file
await msiCreator.compile()

有关完整的配置选项,请查看 electron-wix-msi 存储库!

¥For full configuration options, check out the electron-wix-msi repository!

使用 Electron 生成器

¥Using Electron Builder

Electron Builder 附带了用于签署应用的自定义解决方案。你可以找到 它的文档在这里

¥Electron Builder comes with a custom solution for signing your application. You can find its documentation here.

签署 Windows 应用商店应用

¥Signing Windows Store applications

参见 Windows 应用商店指南

¥See the Windows Store Guide.