Electron-builder: What type of certificate do I need to buy to sign my code on windows?

I went through this process myself last year, even with a Standard signing certificate our users ended up getting this:

https://www.globalsign.com/files/5814/1400/1288/windows8-smartscreen-warning.jpg

Which apparently goes away after enough users have installed your application without issue. (you build "trust" over time) Users that get this error can continue to install by clicking More Info.

Unless your users are trusting and patient, you're going to lose downloads. We provided a brief explanation of the situation in a popup when users would click the download button but still ended up losing over 40% of the downloads to this.

We bought an EV certifiate which took about a week to ship to us. Once we had that implemented there were no more security warnings.

I'm not sure what happens if you use no certificate... but it's going to likely be auto removed on download or it'll prevent the installation.

Ha, thank you so much for this insight. I was reading something in that direction in some MSDN doc (unfortunately I closed the tab) which was also the reason why I wanted to ask here. Thank you so much for your insight! You basically saved me 100 bucks :)

Sorry, the other screen is more obvious on this, it's a level 4 certificate that is required (wrongly linked in the wiki I think)

edit://

Damn: https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ :D

@sklink one more question - with the regular certificate, was auto update possible even though the software was not trusted yet?

Yes, auto update wasn't an issue. It was just the install process.

I ended up using DigiCert, so I'm not sure about other providers. The links directly from microsoft provide a discount so make sure you use them if you buy a certificate: https://msdn.microsoft.com/windows/hardware/drivers/dashboard/get-a-code-signing-certificate

Awesome! Again, thank you so much! :)

Wow, that link saves you 498$ on the 3 year validity. @devlar maybe point to this in the docs?

Sorry for coming back on this, I've received the digicert token for the EV certificate I bought and installed it right away. After realizing that I need to set

  "win": {
    "certificateSubjectName": "ORY GmbH"
  },

I was able to get the signing work locally! The digicert dongle prompted me to supply the dongle password a few times but eventually I saw:

  electron-builder Executing C:\Users\foobar\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.7.0\windows-10\x64\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /n ORY GmbH /d ORY Sites /du https://github.com/ory/sites-app C:\
workspace\js\sites-app\dist\win-unpacked\ORY Sites.exe +278ms
Done Adding Additional Store
Successfully signed: C:\workspace\js\sites-app\dist\win-unpacked\ORY Sites.exe

Next, I followed these steps to export a p12 certificate. Then, I base64 encoded it, removed newlines and configured my CI with the CSC_LINK and CSC_KEY_PASSWORD (no special chars). However, that resulted in this error message:

Signing ORY Sites.exe (certificate subject name: "ORY GmbH")
Error: Exit code: 1. Command failed: C:\Users\appveyor\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.7.0\windows-6\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /n ORY GmbH /d ORY Sites 
C:\projects\sites-app\dist\win-unpacked\ORY Sites.exe
SignTool Error: No certificates were found that met all the given criteria.

When trying to export the certificate with the private key in e.g. IE or Chrome I see ""Note: The associated private key is marked as not exportable. Only the certificate can be exported". I'm a bit lost as to how proceed from here. Any ideas?

Ok, got word back from DigiCert, apparently it's not possible to extract the private key from the dongle due to regulatory requirements which in turn implies that I can't use the certificate to sign the code on a CI server?

EV cert on CI — to investigate.

Yeah I'm not sure about CI. I've been compiling and signing locally.

EV cert issue — see and comment #1299

I was thinking of buying an EV cert from Digicert via that msdn link. €100 for one year is fine, but I couldn't afford it if it rises to €700/yr after the first year.

I will email digicert and report back...

Unfortunately it's just how expensive EV certs are. I actually ended up registering a new company and buying a fresh cert with 3 years validation so that it would stay cheap for a while.

Though they're generally really helpful, DigiCert will not accommodate this. They were unhappy that I had so cheap and wanted to confirm how I purchased it because they didn't think that should be possible.

You can go with the non-EV cert but users will get the "this application is unsafe" warning that will turn away most users if they're not aware. Still haven't heard from anyone how long that warning sticks around.

I'm going with a cheap OV certificate from LeaderSSL. They inform me that around 500 downloads is the number at which the warnings go away, but we shall see how that goes. I will report back.

@sklink I had a similar conversation with digicert -- the rep had no idea how I got the first year for $104 and refused to renew for any discounted price. Did you end up paying the $699? The microsoft.com link you had previously posted is no longer working.

My EV cert is expiring in a few weeks and I'm wondering what to do -- SSL.com is the cheapest right now for 1 year EV is $349, sectigo is $400, global sign is $410. Has anyone used these vendor's keys with electron?

Worst case scenario, if I need to do a build after my current cert expires and before I get a new one, I can just set the clock on my windows machine back, right?

Not sure about setting the clock back. I believe they use a third-party endpoint to verify.

Make sure it's a Code Signing EV Certificate and not an EV SSL. $349 sounds about right for code signing but you might want to double check.

I had no problem registering for a fresh EV Code Cert and swapping out the old one. Existing customers weren't affected as far as I could tell.

You might want to register a new cert through the Microsoft link and make it a 3 year one: https://msdn.microsoft.com/windows/hardware/drivers/dashboard/get-a-code-signing-certificate