Signing Application

This page describes how to get a code signing certificate and configure your project to automatically sign your application for macOS and Windows.

Windows

By code signing your application, you reassure users that they are downloading the legitimate executable of your app and not a malicious imitation. While not mandatory, code signing significantly enhances user trust and confidence in your application.

Prerequisites

Microsoft’s SignTool.
OpenSSL. If you have Git for Windows installed, then you already have it in C:\Program Files\Git\usr\bin\openssl.exe.

Getting a code signing certificate

To sign your application, you need to acquire a Code Signing certificate from one of the supported certificate authorities like Digicert, Sectigo (formerly Comodo), or Godaddy.

You will get a certificate file (e.g. cert.cer) and a private key (e.g. private.key) from your certificate authority. To sign your application, you need to convert these files to a Personal Information Exchange (PFX) file. You can do it in PowerShell using the following command:

openssl.exe pkcs12 -export -out cert.pfx -inkey private.key -in cert.cer

Important: Don’t forget the export password when prompted, you will need it in the next step.

Configuring Molybden

To have Molybden sign your application, you need to set the following properties in molybden.conf.json:

{
  "app": {
    "name": "MyApp",
    "version": {
      "major": "1",
      "minor": "0",
      "patch": "0"
    },
    "author": "",
    "copyright": "",
    "description": "",
    "bundle": {
      "Windows": {
        "icon": "src-cpp/assets/app.ico",
        "certFile": "",
        "certPassword": "",
        "digestAlgorithm": "",
        "timestampServerURL": ""
      },
      ...
    },
    ...
  }
}

Here’s description of what you should set as values for these properties:

Property name	Property value
`certFile`	This is the path to the `cert.pfx` file you created in the previous step.
`certPassword`	The certificate password you exported in the previous step.
`digestAlgorithm`	The SHA digest algorithm used for your certificate. This is likely `sha256`.
`timestampServerURL`	A URL pointing to a timestamp server used to verify the time the certificate is signed. It’s best to provide the timestamp server provided by your certificate authority here.

macOS

On macOS Catalina and later Gatekeeper enforces that you must sign and notarize your application. Unsigned software cannot be run, so contrary to Windows Code Signing this is not optional for macOS.

Prerequisites

For more details read the Notarizing macOS software before distribution article.

Creating a signing certificate

To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. Follow the Create a certificate signing request article to create a CSR file.

Open the Certificates, IDs & Profiles page and click on the Add button to open the interface to create a new certificate. Choose the appropriate certificate type (Apple Distribution to submit apps to the App Store, and Developer ID Application to ship apps outside the App Store). Upload your CSR, and the certificate will be created.

Downloading and installing certificate

On the Certificates, IDs & Profiles page, click on the certificate you want to use and click the Download button.

Double-click on the downloaded certificate to install it using the Keychain Access app on your Mac computer.

Configuring Molybden

To have Molybden sign and notarize your application, you need to set the following properties in molybden.conf.json:

{
  "app": {
    "name": "MyApp",
    "version": {
      "major": "1",
      "minor": "0",
      "patch": "0"
    },
    "author": "",
    "copyright": "",
    "description": "",
    "bundle": {
      "macOS": {
        "icon": "src-cpp/assets/app.icns",
        "bundleID": "",
        "codesignIdentity": "",
        "codesignEntitlements": "src-cpp/assets/entitlements.plist",
        "teamID": "",
        "appleID": "",
        "password": ""
      },
      ...
    },
    ...
  }
}

Here’s description of what you should set as values for these properties:

Property name	Property value
`bundleID`	The bundle identifier of your application. It must be unique and in reverse-DNS format. For example, if your company’s domain is `example.com` and your application is called `MyApp`, then your bundle identifier could be `com.example.MyApp`.
`codesignIdentity`	This is the name of the certificate you created in the previous step. You can find the name of the certificate in the Keychain Access app on your Mac computer.
`codesignEntitlements`	This is the path to the `entitlements.plist` file.
`teamID`	This is the Team ID of your Apple Developer account. You can find it on the Membership page.
`appleID`	This is your Apple Developer account email.
`password`	This is an app-specific password for your Apple Developer account.

Signing and notarizing application

Once you set all the required properties in molybden.conf.json, your application will be signed and notarized automatically whenever you run:

npm run molybden build

Congratulations! You have successfully signed and notarized your Molybden application!

Previous
Distribution
Next
Updating

Top