Signing Application

This page describes how to get a code signing certificate and configure your project to automatically sign your application for macOS and Windows.

Windows

By code signing your application, you reassure users that they are downloading the legitimate executable of your app and not a malicious imitation. While not mandatory, code signing significantly enhances user trust and confidence in your application.

Prerequisites

• Microsoft’s SignTool.
• OpenSSL. If you have Git for Windows installed, then you already have it in C:\Program Files\Git\usr\bin\openssl.exe.

Getting a code signing certificate

To sign your application, you need to acquire an Extended Validation (EV) Code Signing certificate from one of the supported certificate authorities like DigiCert, Sectigo (formerly Comodo), or Godaddy.

There are two ways of signing your app: you could either use a certificate stored on a FIPS 140 Level 2, Common Criteria EAL 4+ storage module or use cloud-based code signing. In either way, you need to provide Molybden with the command which signs your application.

Configuring Molybden

To have Molybden sign your application, you need to set the following property in molybden.conf.json:

{
  "app": {
    "name": "MyApp",
    "version": {
      "major": "1",
      "minor": "0",
      "patch": "0"
    },
    "author": "",
    "copyright": "",
    "description": "",
    "bundle": {
      "Windows": {
        "icon": "src-cpp/assets/app.ico",
        "signCommand": "yourCodesignTool @@BINARY_PATH@@ --option",
      },
      ...
    },
    ...
  }
}

Here’s description of what you should set as values for these properties:

macOS

On macOS Catalina and later Gatekeeper enforces that you must sign and notarize your application. Unsigned software cannot be run, so contrary to Windows Code Signing this is not optional for macOS.

Prerequisites

• Xcode.
• Apple Developer account.

For more details read the Notarizing macOS software before distribution article.

Creating a signing certificate

To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. Follow the Create a certificate signing request article to create a CSR file.

Open the Certificates, IDs & Profiles page and click on the Add button to open the interface to create a new certificate. Choose the appropriate certificate type (Apple Distribution to submit apps to the App Store, and Developer ID Application to ship apps outside the App Store). Upload your CSR, and the certificate will be created.

Downloading and installing certificate

On the Certificates, IDs & Profiles page, click on the certificate you want to use and click the Download button.

Double-click on the downloaded certificate to install it using the Keychain Access app on your Mac computer.

Configuring Molybden

To have Molybden sign and notarize your application, you need to set the following properties in molybden.conf.json:

{
  "app": {
    "name": "MyApp",
    "version": {
      "major": "1",
      "minor": "0",
      "patch": "0"
    },
    "author": "",
    "copyright": "",
    "description": "",
    "bundle": {
      "macOS": {
        "icon": "src-cpp/assets/app.icns",
        "bundleID": "",
        "codesignIdentity": "",
        "codesignEntitlements": "src-cpp/assets/entitlements.plist",
        "teamID": "",
        "appleID": "",
        "password": ""
      },
      ...
    },
    ...
  }
}

Here’s description of what you should set as values for these properties:

Signing and notarizing application

Once you set all the required properties in molybden.conf.json, your application will be signed and notarized automatically whenever you run:

npm run molybden build

Congratulations! You have successfully signed and notarized your Molybden application!