Signing Application
This page describes how to get a code signing certificate and configure your project to automatically sign your application for macOS and Windows.
Windows
By code signing your application, you reassure users that they are downloading the legitimate executable of your app and not a malicious imitation. While not mandatory, code signing significantly enhances user trust and confidence in your application.
Prerequisites
- Microsoft’s SignTool.
- OpenSSL. If you have Git for Windows installed, then you already have it in
C:\Program Files\Git\usr\bin\openssl.exe
.
Getting a code signing certificate
To sign your application, you need to acquire a Code Signing certificate from one of the supported certificate authorities like Digicert, Sectigo (formerly Comodo), or Godaddy.
You will get a certificate file (e.g. cert.cer
) and a private key (e.g. private.key
) from your certificate authority. To sign your application, you need to convert these files to a Personal Information Exchange (PFX) file. You can do it in PowerShell using the following command:
openssl.exe pkcs12 -export -out cert.pfx -inkey private.key -in cert.cer
Important: Don’t forget the export password when prompted, you will need it in the next step.
Configuring Molybden
To have Molybden sign your application, you need to set the following properties in molybden.conf.json
:
{
"app": {
"name": "MyApp",
"version": {
"major": "1",
"minor": "0",
"patch": "0"
},
"author": "",
"copyright": "",
"description": "",
"bundle": {
"Windows": {
"icon": "src-cpp/assets/app.ico",
"certFile": "",
"certPassword": "",
"digestAlgorithm": "",
"timestampServerURL": ""
},
...
},
...
}
}
Here’s description of what you should set as values for these properties:
Property name | Property value |
---|---|
certFile |
This is the path to the cert.pfx file you created in the previous step. |
certPassword |
The certificate password you exported in the previous step. |
digestAlgorithm |
The SHA digest algorithm used for your certificate. This is likely sha256 . |
timestampServerURL |
A URL pointing to a timestamp server used to verify the time the certificate is signed. It’s best to provide the timestamp server provided by your certificate authority here. |
macOS
On macOS Catalina and later Gatekeeper enforces that you must sign and notarize your application. Unsigned software cannot be run, so contrary to Windows Code Signing this is not optional for macOS.
Prerequisites
For more details read the Notarizing macOS software before distribution article.
Creating a signing certificate
To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. Follow the Create a certificate signing request article to create a CSR file.
Open the Certificates, IDs & Profiles page and click on the Add button to open the interface to create a new certificate. Choose the appropriate certificate type (Apple Distribution to submit apps to the App Store, and Developer ID Application to ship apps outside the App Store). Upload your CSR, and the certificate will be created.
Downloading and installing certificate
On the Certificates, IDs & Profiles page, click on the certificate you want to use and click the Download button.
Double-click on the downloaded certificate to install it using the Keychain Access app on your Mac computer.
Configuring Molybden
To have Molybden sign and notarize your application, you need to set the following properties in molybden.conf.json
:
{
"app": {
"name": "MyApp",
"version": {
"major": "1",
"minor": "0",
"patch": "0"
},
"author": "",
"copyright": "",
"description": "",
"bundle": {
"macOS": {
"icon": "src-cpp/assets/app.icns",
"bundleID": "",
"codesignIdentity": "",
"codesignEntitlements": "src-cpp/assets/entitlements.plist",
"teamID": "",
"appleID": "",
"password": ""
},
...
},
...
}
}
Here’s description of what you should set as values for these properties:
Property name | Property value |
---|---|
bundleID |
The bundle identifier of your application. It must be unique and in reverse-DNS format. For example, if your company’s domain is example.com and your application is called MyApp , then your bundle identifier could be com.example.MyApp . |
codesignIdentity |
This is the name of the certificate you created in the previous step. You can find the name of the certificate in the Keychain Access app on your Mac computer. |
codesignEntitlements |
This is the path to the entitlements.plist file. |
teamID |
This is the Team ID of your Apple Developer account. You can find it on the Membership page. |
appleID |
This is your Apple Developer account email. |
password |
This is an app-specific password for your Apple Developer account. |
Signing and notarizing application
Once you set all the required properties in molybden.conf.json
, your application will be signed and notarized automatically whenever you run:
npm run molybden build
Congratulations! You have successfully signed and notarized your Molybden application!