3

I have a simple app built using Electron framework. I packaged the code using electron-packager-interactive. I also created a Windows installer file which is ready for distribution using Inno Setup compiler (Single .exe file).

The problem here is when users run the .exe file, a popup from Windows Smart screen blocks it saying publisher is unknown. Only after "More info", it allows to install with "Run anyway". Probably it's because my application is not signed. So can anyone help me how to sign an Electron application (Windows application) so that it's treated as trusted application?

Thanks

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Suraj A J
  • 359
  • 4
  • 19
  • Your question is confusing. I assume you want to sign the "installer" built by Inno Setup. So why does your question say *"Signing an Electron app"*? What does the question have to do with "electron"? – Martin Prikryl May 22 '17 at 06:24
  • Because it's built using electron framework. I assume we have to sign the code before packaging. – Suraj A J May 22 '17 at 06:41
  • What makes you think so? If you get the "smart screen" block even before the installer starts, Windows hardly knows at that moment that there is Electron binary inside the installer. – Martin Prikryl May 22 '17 at 06:58
  • Oh ok. May be you are right. I read somewhere that I have to sign code before packaging, that made me think that way. Anyway, do you know how to sign .exe file created by Inno setup? – Suraj A J May 22 '17 at 07:13
  • Well, sure, you should sign the code anyway. But I just think that it's not your immediate problem. – Martin Prikryl May 22 '17 at 07:19

1 Answers1

1

You primarily have to sign the installer.

For that, set the Inno Setup SignTool directive. See the directive documentation.

Though once you have a certificate and everything, sign the (electron) application itself too.

Inno Setup compiler can do this for you. You do not have to manually sign the .exe yourself before packaging.

Just set the sign (or signonce) flag in the [Files] section entry for the .exe:

Source: "MyProg.exe"; DestDir: "{app}"; Flags: sign
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
  • Thank you. I did that but while compiling, the error says "Sign Tool failed with exit code 0x1". I have following configured in inno setup "signtool="PATH_TO_SIGNINTOOL\signtool.exe" sign /f "PATH_TO_CERTIFICATE.PFX" /p "PASSWORD" /t http://timestamp.verisign.com/scripts/timstamp.dll "PATH_TO_SETUP_FILE"". How do i solve this? – Suraj A J May 22 '17 at 11:39
  • See [Inno Setup - Signing fails with “Sign Tool failed with exit code 0x1”](http://stackoverflow.com/q/39685417/850848) or [signtool fail with Inno Setup with exit code 0x1](http://stackoverflow.com/a/30867119/850848) – Martin Prikryl May 22 '17 at 11:45
  • Though one obvious problem is that you cannot use an explicit path to a setup file, you have to use `$f` placeholder, because it's not only the setup file that is signed. – Martin Prikryl May 22 '17 at 11:48
  • I tried all the combinations of signtool commands. I added "$f" at the end also, but no change. Signtool error says " No certificate were found that meet all the given criteria". I used makecert to create a test certificate. – Suraj A J May 23 '17 at 03:03
  • First, signing with a certificate created with `makecert` does not help you. You need a certificate issued by a trusted authority. But if you want it for testing purposes, make sure you have added it to "Trusted Root Certification Authorities", as documented in: https://blogs.msdn.microsoft.com/winsdk/2009/11/13/steps-to-sign-a-file-using-signtool-exe/ – Martin Prikryl May 23 '17 at 05:23