Home

Awesome

@electron/windows-sign npm

Codesign your app for Windows. Made for Electron but really supports any folder with binary files. electron-windows-sign scans a folder for signable files and codesigns them with both SHA-1 and SHA-256. It can be highly customized and used either programmatically or on the command line.

This tool is particularly useful if you want to code sign Electron or other Windows binaries with an EV certificate or an HSM setup (like DigiCert KeyLocker, AWS CloudHSM, Azure Key Vault HSM, Google Cloud Key Management Service HSM, and other similar services). For more details on how you'd exactly do that, please see Use with Cloud HSM Providers below.

Requirements

By default, this module spawns signtool.exe and needs to run on Windows. If you're building an Electron app and care enough to codesign them, I would heavily recommend that you build and test your apps on the platforms you're building for.

Usage

Most developers of Electron apps will likely not use this module directly - and instead use it indirectly instead. If you are one of those developers who is using a module like @electron/forge or @electron/packager, you can configure this module with global environment variables. If that describes you, you can skip ahead to your use case:

Direct Usage

@electron/windows-codesign is built to both esm and cjs and can be used both as a module as well as directly from the command line.

import { sign } from "@electron/windows-sign"
// or const { sign } = require("@electron/windows-sign")

await sign(signOptions)
electron-windows-sign $PATH_TO_APP_DIRECTORY [options ...]

With a certificate file and password

This is the "traditional" way to codesign Electron apps on Windows. You pass in a certificate file (like a .pfx) and a password, which will then be passed to a built-in version of signtool.exe taken directly from the Windows SDK.

await sign({
  appDirectory: "C:\\Path\\To\\App",
  // or process.env.WINDOWS_CERTIFICATE_FILE
  certificateFile: "C:\\Cert.pfx",
  // or process.env.WINDOWS_CERTIFICATE_PASSWORD 
  certificatePassword: "hunter99"
})
electron-windows-sign $PATH_TO_APP_DIRECTORY --certificate-file=$PATH_TO_CERT --certificate-password=$CERT-PASSWORD

Full configuration

// Path to a timestamp server. Defaults to http://timestamp.digicert.com
// Can also be passed as process.env.WINDOWS_TIMESTAMP_SERVER
timestampServer = "http://timestamp.digicert.com"
// Description of the signed content. Will be passed to signtool.exe as /d
// Can also be passed as process.env.WINDOWS_SIGN_DESCRIPTION
description = "My content"
// URL of the signed content. Will be passed to signtool.exe as /du
// Can also be passed as process.env.WINDOWS_SIGN_WEBSITE
website = "https://mywebsite.com"
// If enabled, attempt to sign .js JavaScript files. Disabled by default
signJavaScript = true
// If unspecified, both sha1 and sha256 signatures will be appended. Will be passed to signtool.exe as the /fd option.
hashes = ["sha256"]

With a custom signtool.exe or custom parameters

Sometimes, you need to specify specific signing parameters or use a different version of signtool.exe. In this mode, @electron/windows-sign will call the provided binary with the provided parameters for each file to sign.

If you only provide signToolPath, the default parameters will be used. If you only provide signWithParams, the default signtool.exe will be used.

All the additional configuration mentioned above is also available here, but only used if you do not provide your own parameters.

await sign({
  appDirectory: "C:\\Path\\To\\App",
  // or process.env.WINDOWS_CERTIFICATE_FILE
  certificateFile: "C:\\Cert.pfx", 
  // or process.env.WINDOWS_CERTIFICATE_PASSWORD
  certificatePassword: "hunter99",
  // or process.env.WINDOWS_SIGNTOOL_PATH
  signToolPath: "C:\\Path\\To\\my-custom-tool.exe",
  // or process.env.WINDOWS_SIGN_WITH_PARAMS
  signWithParams: "--my=custom --parameters"
})
electron-windows-sign $PATH_TO_APP_DIRECTORY --sign-tool-path=$PATH_TO_TOOL --sign-with-params="--my=custom --parameters"

With a custom hook function

Sometimes, you just want all modules depending on @electron/windows-sign to call your completely custom logic. You can either specify a hookFunction (if you're calling this module yourself) or a hookModulePath, which this module will attempt to require.

Using the hookModulePath has the benefit that you can override how any other users of this module (like @electron/packager) codesign your app.

await sign({
  // A function with the following signature:
  // (fileToSign: string) => void | Promise<void>
  //
  // This function will be called sequentially for each file that 
  // @electron/windows-sign wants to sign.
  hookFunction: myHookFunction
  // Path to a hook module.
  hookModulePath: "C:\\Path\\To\\my-hook-module.js",
})

Your hook module should either directly export a function or export a default function.

// Good:
module.exports = function (filePath) {
  console.log(`Path to file to sign: ${filePath}`)
}

// Good:
module.exports = async function (filePath) {
  console.log(`Path to file to sign: ${filePath}`)
}

// Good:
export default async function (filePath) {
  console.log(`Path to file to sign: ${filePath}`)
}

// Bad:
module.exports = {
  myCustomHookName: function (filePath) {
    console.log(`Path to file to sign: ${filePath}`)
  }
}

// Bad:
export async function myCustomHookName(filePath) {
  console.log(`Path to file to sign: ${filePath}`)
}
SYNOPSIS
  electron-windows-sign app [options ...]

DESCRIPTION
  app
    Path to the application to sign.  It must be a directory.

  certificate-file
    Path to the certificate file (.pfx) to use for signing. Uses 
    environment variable WINDOWS_CERTIFICATE_FILE if not provided.

  certificate-password
    Password to use for the certificate. Uses environment variable
    WINDOWS_CERTIFICATE_PASSWORD if not provided.

  sign-tool-path
    Path to the signtool.exe binary.  If not specified, the tool will attempt
    use a built-in version.

  timestamp-server
    URL of the timestamp server to use.  If not specified, the tool will
    attempt to use a built-in server (http://timestamp.digicert.com)

  description
    Description to use for the signed files. Passed as /d to signtool.exe.

  website
    URL of the website to use for the signed files. Passed as /du to
    signtool.exe.

  sign-with-params
    Additional parameters to pass to signtool.exe.  This can be used to
    specify additional certificates to use for cross-signing.

  automatically-select-certificate
    Automatically select the best certificate to use for signing. On by default.

  help
    Print this usage information.

  debug
    Print additional debug information.

File Types

This tool will aggressively attempt to sign all files that can be signed, excluding scripts.

If you do want to sign JavaScript, please enable it with the signJavaScript parameter. As far as we are aware, there are no benefits to signing JavaScript files, so we do not by default.

Use with Cloud HSM Providers

Since 2023, Microsoft requires that Windows software be signed with an extended validation (EV) certificate in order to avoid a Windows Defender popup. This presents a challenge for developers who are used to building and signing in the cloud or some continuous integration setup like GitHub Actions, CircleCI, Travis CI, or AppVeyor because EV certificates require a Hardware Security Module (HSM). Or, in simpler words: If you want to code sign your Windows software so that your customers don't see a scary Windows Defender dialog, you need to code sign on a computer with a USB device plugged in.

The industry has an answer to this problem: Services like DigiCert KeyLocker, AWS CloudHSM, Azure Key Vault HSM, or Google Cloud Key Management Service HSM allow code signing binaries with an Extended Validation (EV) certificate from the cloud. @electron/windows-sign is compatible with all of these services.

Custom signtool parameters

Most services allow signing your code with Microsoft's signtool.exe. Let's take DigiCert KeyLocker as an example. DigiCert's documentation explains the steps necessary to setup your signing machine. Once done, you can sign with the following call:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed> 

To sign with @electron/windows-sign using those instructions, you would take the parameters and add them to signWithParams:

await sign({
  signWithParams: "/csp \"DigiCert Signing Manager KSP\" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256"
})

Both Google's and Amazon's solutions similarly allow you to sign with Microsoft's SignTool. Documentation for Google can be found here, Amazon's lives here.

Custom signtool.exe

Some providers provide drop-in replacements for signtool.exe. If that's the case, simply pass the path to that replacement:

await sign({
  // or process.env.WINDOWS_SIGNTOOL_PATH
  signToolPath: "C:\\Path\\To\\my-custom-tool.exe",
})

Fully custom process

If your HSM provider has a more complex setup, you might have to call a custom file with custom parameters. If that's the case, use a hook function or hook module, which allows you to completely customize what to do with each file that @electron/windows-sign wants to sign. More documentation about this option can be found in the "Signing with a custom hook function" section above.

License

BSD 2-Clause "Simplified". Please see LICENSE for details.