guppy icon indicating copy to clipboard operation
guppy copied to clipboard

Published 20 hours ago verified publisher icon joshwcomeau

Signing Guppy for Windows

Open joshwcomeau opened this issue 5 years ago • 2 comments

This is something we've spoken about on Gitter, but I thought I'd create an issue so that we can track it.

As like in #222, we need to sign our code so that it can be easily opened. The process is similar, but not exactly the same, for Windows users.

It might make sense to tackle #26 first, as Electron Builder handles Windows signing as well.

I'm happy to purchase the certificate, but my Windows VM is a pain to work from, so it'd be awesome if someone else wanted to take the lead on this :)

More info: https://electronjs.org/docs/tutorial/code-signing

joshwcomeau avatar Sep 07 '18 11:09 joshwcomeau

@AWolf81 has demonstrated experience with this, I think he should take point.

superhawk610 avatar Sep 08 '18 00:09 superhawk610

Sure, I can support with the signing and summarize my experience with code signing here.

I've purchased an open source code signing certificate with a signing hardware here for this Firefox extension. I purchased it last year and it was the cheapest option to get code signing. (I think it's still the cheapest but I haven't done a new research).

I've seen that there is a new option with-out signing hardware, it's called cloud signing. I would buy this - it's also cheaper. It requires simplySign to be installed for certificate generation.

I've signed the installer (the app executable is not signed there as windows wasn't complaining about it). Windows only had a problem with the installer so I signed it but the app could be signed as well. The installer is created with a Windows tool called InnoSetup.

For InnoSetup there needs to be created one configuration file to configure how the installation wizard will work. A basic setup is pretty straight forward and it also triggers the code signing of the installer.

I think the installer can be simple as it will only extracts the bundle and copy it to C:\Users\<UserName>\Guppy and creates a desktop icon. No elevated rights required as it's only installed for the current user.

Code signing After purchasing it took some time until I received the signing hardware - you could start faster if you're using the cloud service. It's an usb stick that you need during signing. It's storing a token for authentication that it is you. This is the important part for the certificate authority. I think they also requested a copy of my ID card after sign up.

The signing is tied to one developer, so in the prompt during installation there will be the info that Alexander Wolf, open source developer signed it.

For signing you need to install Windows SDK (during install deselect all and just select Windows SDK signing tools size 5MB) so you have the command line tool signtool available. Add the following to path "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool" or "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64" so signtool.exe is available. Signtool also requires the dot net framework (just if it's not available).

Once you have the signtool and the certificate ready you can sign the file with a command like signtool sign /f MyCert.pfx /p MyPassword MyFile.exe or trigger it from Electron-build / InnoSetup.

Update OK, I tested electron-builder branch and I noticed that a separate installer is not needed with electron-builder. It's already managing installation. So InnoSetup is not needed.

AWolf81 avatar Sep 11 '18 20:09 AWolf81