Signing Application

How to get a code signing certificate and configure your project to automatically sign your application for macOS and Windows.

Windows

By code signing your application, you reassure users that they are downloading the legitimate executable of your app and not a malicious imitation. While not mandatory, code signing significantly enhances user trust and confidence in your application.

Prerequisites

Microsoft’s SignTool.
OpenSSL. If you have Git for Windows installed, then you already have it in C:\Program Files\Git\usr\bin\openssl.exe.

Getting a code signing certificate

To sign your application, you need to acquire an Extended Validation (EV) Code Signing certificate from one of the supported certificate authorities like DigiCert, Sectigo (formerly Comodo), or GoDaddy.

There are two ways of signing your app: you could either use a certificate stored on a FIPS 140 Level 2, Common Criteria EAL 4+ storage module or use cloud-based code signing. In either way, you need to provide MōBrowser with the command which signs your application.

Configuring project

To have MōBrowser sign your application, you need to set the following property in mobrowser.conf.json:

{
  "app": {
    "name": "App",
    "version": {
      "major": "1",
      "minor": "0",
      "patch": "0"
    },
    "author": "",
    "copyright": "",
    "description": "",
    "bundle": {
      "Windows": {
        "icon": "assets/app.ico",
        "signCommand": "yourCodesignTool @@BINARY_PATH@@ --option",
      },
      ...
    },
    ...
  }
}

Here’s description of what you should set as values for these properties:

Property name	Property value
`signCommand`	The command to be used for code signing your application binary files. MōBrowser will execute this command multiple times. Each time it will replace `@@BINARY_PATH@@` with the absolute path to an application binary that needs to be signed. The same command is also used for signing the application installer.

Signing

Once you set the signCommand property in mobrowser.conf.json, your application will be signed automatically whenever you build it on Windows:

npm run mobrowser build

macOS

On macOS Catalina and later Gatekeeper enforces that you must sign and notarize your application. Unsigned software cannot be run, so contrary to Windows Code Signing this is not optional for macOS.

Prerequisites

For more details read the Notarizing macOS software before distribution article.

Creating a signing certificate

To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. Follow the Create a certificate signing request article to create a CSR file.

Open the Certificates, IDs & Profiles page and click on the Add button to open the interface to create a new certificate. Choose the appropriate certificate type (Apple Distribution to submit apps to the App Store, and Developer ID Application to ship apps outside the App Store). Upload your CSR, and the certificate will be created.

Downloading and installing certificate

On the Certificates, IDs & Profiles page, click on the certificate you want to use and click the Download button.

Double-click on the downloaded certificate to install it using the Keychain Access app on your Mac computer.

Configuring project

To have MōBrowser sign and notarize your application, you need to set the following properties in mobrowser.conf.json:

{
  "app": {
    "name": "App",
    "version": {
      "major": "1",
      "minor": "0",
      "patch": "0"
    },
    "author": "",
    "copyright": "",
    "description": "",
    "bundle": {
      "macOS": {
        "icon": "assets/app.icns",
        "bundleID": "com.company.App",
        "codesignIdentity": "",
        "codesignEntitlements": "assets/entitlements.plist",
        "teamID": "",
        "appleID": "",
        "password": "",
      },
      ...
    },
    ...
  }
}

Here’s description of what you should set as values for these properties:

Property name	Property value
`bundleID`	The bundle identifier of your application. It must be unique and in reverse-DNS format. For example, `com.company.App`.
`codesignIdentity`	This is the name of the certificate you created in the previous step. You can find the name of the certificate in the Keychain Access app on your Mac computer.
`codesignEntitlements`	This is the path to the `entitlements.plist` file.
`teamID`	This is the Team ID of your Apple Developer account. You can find it on the Membership page.
`appleID`	This is your Apple Developer account email.
`password`	This is an app-specific password for your Apple Developer account.

Environment variables

You can reference environment variables in the config file through the ${ENV_NAME} syntax:

{
  "macOS": {
    "icon": "assets/app.icns",
    "bundleID": "com.company.App",
    "codesignIdentity": "${IDENTITY}",
    "codesignEntitlements": "assets/entitlements.plist",
    "teamID": "${TEAM_ID}",
    "appleID": "${APPLE_ID}",
    "password": "${PASSWORD}",
  }
}

We recommend that you store your credentials in environment variables instead of the config file for security reasons. The config file is usually stored in the project repository, so it can be accessed by anyone who has access to the it.

Signing & Notarizing

Once you set all the required properties in mobrowser.conf.json, your application will be signed and notarized automatically whenever you build it on macOS:

npm run mobrowser build