Electron 中 Windows 应用签名
前言
Window 的 code signed 是双重签名 Windows is dual code-signed (SHA1 & SHA256 hashing algorithms).
- Code Signing | Electron
- Signing a Windows app - Electron Forge
- Code Signing - electron-builder
- Signing and certificates - Hydraulic Conveyor
签名的作用
防止系统安全拦截
Windows, the system assigns a trust level to your code signing certificate which if you don’t have, or if your trust level is low, will cause security dialogs to appear when users start using your application. Trust level builds over time so it’s better to start code signing as early as possible.
In return for this you’re purchasing some initial reputation with the Windows SmartScreen download filter. SmartScreen checks downloaded apps against a database to find out how often the app vendor is seen. Vendors whose apps are downloaded very rarely yield warning screens suggesting caution (though the app can still be run by accepting the warning). The intuition here is that viruses are often polymorphic and constantly rewrite themselves to evade detection, so a program that’s brand new and rarely seen might be a virus.
证书类型
You can get a Authenticode Digital Signatures - Windows drivers | Microsoft Learn code signing certificate from many vendors。
这两种类型的证书都会累积声誉,但 EV 证书会更快地达到警告消失所需的阈值。
Code Signing - electron-builder
OV 证书
也是要买的。Electron 在 Windows 下的代码签名 - oldj’s blog
配置 erb
OV 证书需要导出, 再配置, windows 还是会拦截的,不适合企业使用。
EV 证书
更贵, U 盘介质。 Electron 使用 EV 代码签名证书 - oldj’s blog
安装证书客户端
配置 erb
- EV 证书只需要配置:
certificateSubjectName
签名的逻辑
On Windows, apps are signed using Sign Tool, which is included in Visual Studio. Install Visual Studio to get the signing utility (the free Community Edition is enough).
对什么东西做签名
和 Mac 阶段不一样,win 是对安装包做签名,On Windows, Electron apps are signed on the installer level at the Make step.
单独使用 signtools 签名
本地下载 signtool 后, 可以放在项目中;
./vendor/signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a /n "Nanjing IvyScience Information Technology Co., Ltd." /d "WPS Addon" ./install.exe
然后还是会唤起证书,输入密码。
如何使用 EV 证书签名
我使用的是 EV 全面, 需要先安装证书工具: How to download SafeNet Authentication Client。然后插入 U 盘,方便读取证书。
配合 PowerShell v7 的时候, 签名阶段遇到了个 issue: Issue with code signing with an EV certificate on Windows · Issue #7729 · electron-userland/electron-builder
EV 证书如何无交互操作
看到 Signing and certificates - Hydraulic Conveyor 中有提到:
The distinction only matters for Windows. An Extended Validation certificate costs more money, is harder to get and must be protected by a hardware security module (HSM), normally in the form of a USB token that’s physically mailed to you. Conveyor supports HSMs via the standard PKCS#11 interface, which they all support.
如何提取 u 盘签名: Keys and certificates - Hydraulic Conveyor
减少 SafeNet Client 密码多次弹窗
client 设置中, 开启 Enable single logon。
在线全面的方案
- SSL.com eSigner
- DigiCert ONE
有什么坑
electron-builder生成的win安装包是nsis, 可定制强。执行自动更新, 也是针对nsis类型, 所以安装文件中,才有elevate.exeforge生成win安装包是Squirrel.Windows, 自动更新使用 electron 内置的模块。- electron-builder 在 PowerShell v7 下执行会报错: Issue with code signing with an EV certificate on Windows · Issue #7729 · electron-userland/electron-builder
- Window 的 code signed 是双重签名 Windows is dual code-signed (SHA1 & SHA256 hashing algorithms).
- 构建后的软件,可以使用 Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn 检查。