Skip to content
This repository has been archived by the owner on Jun 17, 2021. It is now read-only.

Signing Guppy for Windows #223

Open
joshwcomeau opened this issue Sep 7, 2018 · 2 comments
Open

Signing Guppy for Windows #223

joshwcomeau opened this issue Sep 7, 2018 · 2 comments
Labels
upcoming feature New feature or request

Comments

@joshwcomeau
Copy link
Owner

This is something we've spoken about on Gitter, but I thought I'd create an issue so that we can track it.

As like in #222, we need to sign our code so that it can be easily opened. The process is similar, but not exactly the same, for Windows users.

It might make sense to tackle #26 first, as Electron Builder handles Windows signing as well.

I'm happy to purchase the certificate, but my Windows VM is a pain to work from, so it'd be awesome if someone else wanted to take the lead on this :)

More info:
https://electronjs.org/docs/tutorial/code-signing

@joshwcomeau joshwcomeau added the upcoming feature New feature or request label Sep 7, 2018
@superhawk610
Copy link
Collaborator

@AWolf81 has demonstrated experience with this, I think he should take point.

@AWolf81
Copy link
Collaborator

AWolf81 commented Sep 11, 2018

Sure, I can support with the signing and summarize my experience with code signing here.

I've purchased an open source code signing certificate with a signing hardware here for this Firefox extension. I purchased it last year and it was the cheapest option to get code signing. (I think it's still the cheapest but I haven't done a new research).

I've seen that there is a new option with-out signing hardware, it's called cloud signing. I would buy this - it's also cheaper. It requires simplySign to be installed for certificate generation.

I've signed the installer (the app executable is not signed there as windows wasn't complaining about it). Windows only had a problem with the installer so I signed it but the app could be signed as well. The installer is created with a Windows tool called InnoSetup.

For InnoSetup there needs to be created one configuration file to configure how the installation wizard will work. A basic setup is pretty straight forward and it also triggers the code signing of the installer.

I think the installer can be simple as it will only extracts the bundle and copy it to C:\Users\<UserName>\Guppy and creates a desktop icon. No elevated rights required as it's only installed for the current user.

Code signing
After purchasing it took some time until I received the signing hardware - you could start faster if you're using the cloud service. It's an usb stick that you need during signing. It's storing a token for authentication that it is you. This is the important part for the certificate authority. I think they also requested a copy of my ID card after sign up.

The signing is tied to one developer, so in the prompt during installation there will be the info that Alexander Wolf, open source developer signed it.

For signing you need to install Windows SDK (during install deselect all and just select Windows SDK signing tools size 5MB) so you have the command line tool signtool available. Add the following to path "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool" or "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64" so signtool.exe is available. Signtool also requires the dot net framework (just if it's not available).

Once you have the signtool and the certificate ready you can sign the file with a command like signtool sign /f MyCert.pfx /p MyPassword MyFile.exe or trigger it from Electron-build / InnoSetup.

Update
OK, I tested electron-builder branch and I noticed that a separate installer is not needed with electron-builder. It's already managing installation. So InnoSetup is not needed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
upcoming feature New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants