Published on
ยท
Time to read
4 minute read

EV Code Signing with Electron Builder

Blog post image
Authors

If you want to publish an Electron app on Windows, you don't really have a choice, you need an EV code signing certificate. If you don't, your users will be bombarded every step of the way by browsers, anti-virus, and Windows itself telling them that they've just downloaded malware and their computer is about to explode. And that's only a slight exaggeration.

The problem is this is a gigantic pain in the ass with sparse documentation. I recently had to go through it for our company's photo app Optyx, so I'm documenting it for myself, but hopefully it helps you too :)

Prerequisites

If you're interested in EV signing and found this article, you probably already meet all of these criteria, but it's worth going over anyway.

  • You have an Electron application that can be built with electron-builder.
  • You have an LLC / S Corp / C Corp / other legal entity that distributes the software to which the EV certificate can be issued.
  • Your entity has a Dโ€‘Uโ€‘Nโ€‘S number. If you're part of Apple's Developer Program with publishing rights you were probably already assigned a D-U-N-S number.

Steps

1. Get the certificate and physical key

First, you'll need to go through a certificate authority to purchase an EV code signing certificate. This company does the work of validating you're a real company with real humans who can be sued if you publish malware. I choose SSL.com because they were the cheapest (~$250/year for 3 years), but they were pretty slow and unresponsive (process took ~4 weeks) so if you're on a tight deadline there are several other options out there that might be better.

After they verify your entity, you'll be shipped a physical USB device in the mail. This is your certificate's private key. DO NOT LOSE THIS.

2. Setup the key

Unfortunately this next part varies wildly depending on where you purchased your certificate and private key. For me there was minimal setup following my provider's instructions.

I just plugged in the USB key and ran the software suite to click to install the keys onto my system. Unfortunately setup was this minimal because the key runs manually and requires a passcode to be entered every time something is signed (boo, no automation). We'll talk more about this later.

3. Configure Electron builder

Next we need to tell Electron to use our EV certificate. This can go a couple different ways depending on your path in step 2.

3.1 Using a System-Installed Certificate

If you installed your certificate into Windows system chain (like my steps for SSL.com), then all you need to do is specify the certificate's subject name when you build your Electron package and electron-builder figures out the rest.

electron-builder -c.win.certificateSubjectName="<INSERT ENTITY NAME HERE>"

3.2 Using a Bundled Certificate

If you are using a bundled certificate (.p12 file), then you'll need to specify the path to the certificate as well as the passphrase as environment variables for electron builder to use when signing.

export CSC_LINK="./path/to/certificate.p12"
export CSC_KEY_PASSWORD="<INSERT YOUR PASSWORD HERE>"
electron-builder
3.2.1 Convert the certificate to .p12

If you didn't get a bundled certificate from your provider, search their knowledgebase for any articles on using their software to export one (example). The steps might look something like the below.

Your certificate provider will likely prompt you to download a signed certificate. Unlike regular code signing certificates, this will not have an accompanying private key. Remember your physical USB device is the private key now!

You'll still need to convert the .crt to a .p12 in order to work with electron-builder. If your certificate authority gave you multiple options of a bundled or non-bundled cert, I used the bundled cert for this step.

openssl pkcs12 -export \
  -in ./MyCorpEVCertificate.chained.crt \
  -out ./WindowsEVCodeSigningCert.p12 \
  -nokeys

4. Profit ๐Ÿค‘๐Ÿค‘๐Ÿค‘

Enjoy your newly signed executable that won't be automatically flagged as malware by every browser and anti-virus on the planet! ๐ŸŽ‰

References

Actually useful...

https://support.yubico.com/hc/en-us/articles/360016614840-Code-Signing-with-the-YubiKey-on-Windows https://www.ssl.com/how-to/using-your-code-signing-certificate/

Not actually helpful in the end but closely related...

https://interactiveknowledge.com/insights/how-code-sign-electron-app-windows https://electricui.com/docs/release/code-signing https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing/54439759#54439759

Discuss on Twitter โ€ข View on GitHub