DEV Community

Cover image for Code Signing an Electron.js App for macOS
Anna Shipman
Anna Shipman

Posted on

Code Signing an Electron.js App for macOS

#electron #code #security #software

Enroll in the Apple Developer Program

Before you can sign anything, notarise anything, or even whisper the words “macOS distribution”, Apple needs to know who you are. And no, just having a Mac or an Apple ID isn’t enough. You need to officially join the Apple Developer Program.

How to Enroll:

  • Visit the Apple Developer Program page. This is where it all begins. Apple gives you access to certificates, signing tools, TestFlight, and more.
  • Sign in with your Apple ID. If you don’t have one yet, create one. It’s free and quick.
  • Enrol in the program and pay the annual $99 fee. That’s right $99 per year for official Apple recognition.

Generate Your Code Signing Certificate

This is the digital signature that proves to macOS, “Hey, this app really came from you.” And the best part? You can get it in two simple ways.

Method 1: The Xcode Way

If you’re using macOS (which you should be for signing), Apple makes it super simple through Xcode.

Here’s how:

  • Open Xcode on your Mac.
  • Go to Xcode → Settings (or Preferences) → Accounts.
  • Add your Apple ID if you haven’t already.
  • Select your developer team.
  • Click Manage Certificates.
  • Hit the “+” button → Choose Developer ID Application Certificate.

Xcode automatically requests and installs your certificate for you.

Method 2: The Apple Developer Portal

Prefer the manual route? Here’s how to do it directly from the web:

  • Visit Apple’s Certificates, Identifiers & Profiles
  • Click the “+” button to create a new certificate.
  • Choose Developer ID Application as your certificate type.
  • Follow the on-screen steps to upload your CSR.
  • Download the generated certificate.
  • Install it by double-clicking it, and it’ll show up in your Mac’s Keychain Access.

Set Up Your Electron.js Project for macOS Signing

Install electron-builder by running this command

npm install electron-builder --save-dev

Wire up your build script

Add a script to package.json so you can build with one command:

{
"scripts": {
"build": "electron-builder --mac"
}
}

Add macOS build config

You can keep it in package.json under “build” or in electron-builder.yml. Use whichever you prefer.

Option A - package.json config

{
"name": "my-electron-app",
"version": "1.0.0",
"build": {
"appId": "com.example.myapp",
"productName": "MyElectronApp",
"files": [
"dist/**/*",
"node_modules/**/*",
"main.js",
"package.json"
],
"mac": {
"target": ["dmg", "zip"],
"category": "public.app-category.utilities",
"icon": "build/icon.icns",
"hardenedRuntime": true,
"entitlements": "build/entitlements.mac.plist",
"entitlementsInherit": "build/entitlements.mac.plist",
"identity": "Developer ID Application: Your Name (TEAMID)"
},
"afterSign": "scripts/notarize.js"
}
}

Option B - electron-builder.yml

appId: com.example.myapp
productName: MyElectronApp
files:
- dist/**
- node_modules/**
- main.js
- package.json
mac:
target:
- dmg
- zip
category: public.app-category.utilities
icon: build/icon.icns
hardenedRuntime: true
entitlements: build/entitlements.mac.plist
entitlementsInherit: build/entitlements.mac.plist
identity: Developer ID Application: Your Name (TEAMID)
afterSign: scripts/notarize.js

Sign Your App

Electron apps can be signed using electron-builder or manually via codesign:

Using electron-builder

If your certificate is installed and your config is set, this is all you need:

npm run build

Have Your Application Notarised

MacOS does not consider your Electron app to be entirely safe until you have signed it and it is notarized. It is a kind of background check at Apple.

You submit your app to them, they scan it and check it to make sure that there is nothing suspicious, and in case all seems well, they nod their heads in silent approval.

First, you bundle up your app:

cd /path/to/your/app/
zip -r MyElectronApp.zip MyElectronApp.app

Then you send it off to Apple’s servers for review:

xcrun altool --notarize-app \
--primary-bundle-id "com.example.myapp" \
--username "your-apple-id@example.com" \
--password "your-app-specific-password" \
--file MyElectronApp.zip

That password isn’t your Apple login. It’s an app-specific password you create in your Apple ID settings. Apple won’t tell you instantly whether you passed; it takes a bit.

You can check the status like this:

xcrun altool --notarization-info <RequestUUID> \
--username "your-apple-id@example.com" \
--password "your-app-specific-password"

If all goes well, Apple gives your app a notarization ticket, basically a proof of inspection. You “staple” that ticket to your app so it always travels with it:

xcrun stapler staple /path/to/your/app/MyElectronApp.app

That last command feels almost ceremonial. After stapling, your app is truly ready to face macOS users, no more warnings, no more “unidentified developer” screens.

Test Your Application

  • Install your signed app on a macOS system. This is your real-world test. If everything went right, macOS will recognise your app as safe and trusted.
  • Open the app. No scary red warnings. No “This app can’t be opened” pop-ups. Just a clean, professional launch, the kind that instantly builds trust with users.
  • Run through the features. Click every button. Open every window. Push it like a real user would. You’re not just testing functionality, you’re testing confidence.

Source


Top comments (0)