Electron学習ノート6コード署名
15161 ワード
コード署名
コード署名は、アプリケーションが作成されたことを証明するためのセキュリティ技術です.
macOSシステムは、予期せぬ変更や悪意のあるコードからの変更など、appに対する任意の変更をコード署名によって検出することができる.
On Windows, the system assigns a trust level to your code signing certificate which if you don’t have, or if your trust level is low, will cause security dialogs to appear when users start using your application. Trust level builds over time so it’s better to start code signing as early as possible.
開発者が署名されていないアプリケーションを公開することができても、私たちはそれをお勧めしません.Both Windows and macOS will, by default, prevent either the download or the execution of unsigned applications. Starting with macOS Catalina (version 10.15), users have to go through multiple manual steps to open unsigned applications.
macOS Catalina Gatekeeper warning: The app cannot be opened because the developer cannot be verified
ご覧のように、ユーザーには2つの選択肢があります.アプリケーションを直接削除するか、実行をキャンセルします.ユーザーにこのダイアログボックスを見せたくありません.
Electronアプリケーションを開発し、パッケージ化して公開する場合は、コード署名を追加する必要があります.
Signing & notarizing macOS builds
Properly preparing macOS applications for release requires two steps: First, the app needs to be code-signed. Then, the app needs to be uploaded to Apple for a process called “notarization”, where automated systems will further verify that your app isn’t doing anything to endanger its users.
To start the process, ensure that you fulfill the requirements for signing and notarizing your app:
Electron’s ecosystem favors configuration and freedom, so there are multiple ways to get your application signed and notarized.
electron-forge
If you’re using Electron’s favorite build tool, getting your application signed and notarized requires a few additions to your configuration. Forge is a collection of the official Electron tools, using [electron-packager], [electron-osx-sign], and [electron-notarize] under the hood.
Let’s take a look at an example configuration with all required fields. Not all of them are required: the tools will be clever enough to automatically find a suitable identity, for instance, but we recommend that you are explicit.
The plist file referenced here needs the following macOS-specific entitlements to assure the Apple security mechanisms that your app is doing these things without meaning any harm:
To see all of this in action, check out Electron Fiddle’s source code, especially its electron-forge configuration file.
electron-builder
Electron Builder comes with a custom solution for signing your application. You can find its documentation here.
electron-packager
If you’re not using an integrated build pipeline like Forge or Builder, you are likely using [electron-packager], which includes [electron-osx-sign] and [electron-notarize].
If you’re using Packager’s API, you can pass in configuration that both signs and notarizes your application.
The plist file referenced here needs the following macOS-specific entitlements to assure the Apple security mechanisms that your app is doing these things without meaning any harm:
Mac App Store
See the Mac App Store Guide.
Windowsアプリケーションに署名
Windowsアプリケーションに署名する前に、次の事項を完了する必要があります.
You can get a code signing certificate from a lot of resellers. Prices vary, so it may be worth your time to shop around. Popular resellers include:
多くの方法でアプリケーションに署名することができます.
コード署名は、アプリケーションが作成されたことを証明するためのセキュリティ技術です.
macOSシステムは、予期せぬ変更や悪意のあるコードからの変更など、appに対する任意の変更をコード署名によって検出することができる.
On Windows, the system assigns a trust level to your code signing certificate which if you don’t have, or if your trust level is low, will cause security dialogs to appear when users start using your application. Trust level builds over time so it’s better to start code signing as early as possible.
開発者が署名されていないアプリケーションを公開することができても、私たちはそれをお勧めしません.Both Windows and macOS will, by default, prevent either the download or the execution of unsigned applications. Starting with macOS Catalina (version 10.15), users have to go through multiple manual steps to open unsigned applications.
macOS Catalina Gatekeeper warning: The app cannot be opened because the developer cannot be verified
ご覧のように、ユーザーには2つの選択肢があります.アプリケーションを直接削除するか、実行をキャンセルします.ユーザーにこのダイアログボックスを見せたくありません.
Electronアプリケーションを開発し、パッケージ化して公開する場合は、コード署名を追加する必要があります.
Signing & notarizing macOS builds
Properly preparing macOS applications for release requires two steps: First, the app needs to be code-signed. Then, the app needs to be uploaded to Apple for a process called “notarization”, where automated systems will further verify that your app isn’t doing anything to endanger its users.
To start the process, ensure that you fulfill the requirements for signing and notarizing your app:
Apple Developer Program( )
Download and install Xcode - this requires a computer running macOS
, , (signing certificates)
Electron’s ecosystem favors configuration and freedom, so there are multiple ways to get your application signed and notarized.
electron-forge
If you’re using Electron’s favorite build tool, getting your application signed and notarized requires a few additions to your configuration. Forge is a collection of the official Electron tools, using [electron-packager], [electron-osx-sign], and [electron-notarize] under the hood.
Let’s take a look at an example configuration with all required fields. Not all of them are required: the tools will be clever enough to automatically find a suitable identity, for instance, but we recommend that you are explicit.
{
"name": "my-app",
"version": "0.0.1",
"config": {
"forge": {
"packagerConfig": {
"osxSign": {
"identity": "Developer ID Application: Felix Rieseberg (LT94ZKYDCJ)",
"hardened-runtime": true,
"entitlements": "entitlements.plist",
"entitlements-inherit": "entitlements.plist",
"signature-flags": "library"
},
"osxNotarize": {
"appleId": "[email protected]",
"appleIdPassword": "my-apple-id-password",
}
}
}
}
}
The plist file referenced here needs the following macOS-specific entitlements to assure the Apple security mechanisms that your app is doing these things without meaning any harm:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
</dict>
</plist>
To see all of this in action, check out Electron Fiddle’s source code, especially its electron-forge configuration file.
electron-builder
Electron Builder comes with a custom solution for signing your application. You can find its documentation here.
electron-packager
If you’re not using an integrated build pipeline like Forge or Builder, you are likely using [electron-packager], which includes [electron-osx-sign] and [electron-notarize].
If you’re using Packager’s API, you can pass in configuration that both signs and notarizes your application.
const packager = require('electron-packager')
packager({
dir: '/path/to/my/app',
osxSign: {
identity: 'Developer ID Application: Felix Rieseberg (LT94ZKYDCJ)',
'hardened-runtime': true,
entitlements: 'entitlements.plist',
'entitlements-inherit': 'entitlements.plist',
'signature-flags': 'library'
},
osxNotarize: {
appleId: '[email protected]',
appleIdPassword: 'my-apple-id-password'
}
})
The plist file referenced here needs the following macOS-specific entitlements to assure the Apple security mechanisms that your app is doing these things without meaning any harm:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
</dict>
</plist>
Mac App Store
See the Mac App Store Guide.
Windowsアプリケーションに署名
Windowsアプリケーションに署名する前に、次の事項を完了する必要があります.
Get a Windows Authenticode code signing certificate (requires an annual fee)
Install Visual Studio to get the signing utility (the free Community Edition is enough)
You can get a code signing certificate from a lot of resellers. Prices vary, so it may be worth your time to shop around. Popular resellers include:
digicert
Comodo
GoDaddy
Amongst others, please shop around to find one that suits your needs, Google is your friend
多くの方法でアプリケーションに署名することができます.
[electron-winstaller] will generate an installer for windows and sign it for you
[electron-forge] can sign installers it generates through the Squirrel.Windows or MSI targets.
[electron-builder] windows 。