How to become an author
Search
Write a publication
Pull to refresh

How to switch codesign certificates on Electron App for Mac (OSX)

Level of difficultyMedium
JavaScript*
Invite pending

When you have an electron app that originally was distributed with a certificate for an individual developer. And you would like to sign the next update to that app with a certificate from your organization. It will break an auto-update installation process because codesign requirements aren't met.

So, to prevent this issue, your next app version should include information about both certificates (old and new). All future app versions can be signed with the new certificate, and the auto-update process will not be disrupted.

See the example below:

version 1.0.0 - signed with certificate 1
version 1.0.1 - signed with certificates 1 and 2
version 1.0.2 - signed with certificate 2

I use Electron Builder for packaging, so all the statements below will refer to using that package.

I suggest you review the designated requirement (DR) of the application when it is signed with the old certificate. For more information about code requirements, please refer to the Apple Developer portal.

Open the terminal and use a command codesign -d -r- <path/to/app>. You'll see something like that:

Executable=/path/to/app/Contents/MacOS/<appname>
designated => identifier "xxxxx.xxxxx.xxxxxx" and anchor apple generic and certificate leaf[subject.CN] = "Super Developer: Awesome Organization (XXXXXXXX)" and certificate 1[field.1.2.345.678901.234.5.6.7] /* exists */

Build an app with a new certificate and use the same command:

Executable=/path/to/new_app/Contents/MacOS/<appname>
designated => identifier "xxxxx.xxxxx.xxxxxx" and anchor apple generic and certificate leaf[subject.CN] = "Apple Distribution: Awesome Organization (XXXXXXXX)" and certificate 1[field.1.2.345.678901.234.5.6.7] /* exists */

After that combine both designated requirements into electron-builder-requirements.txt file using or logical operator between and do not include an identifier "xxxxx.xxxxx.xxxxxx" and .

Check the electron-builder-requirements.txt example:

designated => anchor apple generic and certificate leaf[subject.CN] = "Super Developer: Awesome Organization (XXXXXXXX)" and certificate 1[field.1.2.345.678901.234.5.6.7] /* exists */ or anchor apple generic and certificate leaf[subject.CN] = "Apple Distribution: Awesome Organization (XXXXXXXX)" and certificate 1[field.1.2.345.678901.234.5.6.7] /* exists */

After that, you need to include the electron-builder-requirements.txt file to electron-builder configuration file under mac:

"mac": {
    "requirements": electron-builder-requirements.txt
}

and build the app.

Publish a new version of the app signed with the old certificate, but with the designated requirement (DR) that contains information about both certificates. Wait until everyone updates and has the version running on their desktop, which includes mention of both certificates in the DR.

After that, you can remove the electron-builder-requirements.txt file and update the electron-builder configuration file accordingly.

Release a new version of the app signed with the new certificate. No requirements file is needed, and it will only list its own certificate in the DR.

Profit.

P.S. To ensure that your app is signed with the correct certificate, you can set the "identity" parameter in the electron-builder configuration file, specifying the certificate hash:

"mac": {
    "identity": "<SHA-1 cert hash here (40 digit)>"
}

P.P.S. Good luck and have fun.

Tags:
Hubs:
You can’t comment this publication because its author is not yet a full member of the community. You will be able to contact the author only after he or she has been invited by someone in the community. Until then, author’s username will be hidden by an alias.

Your account

Sections

Information

Services

Support
© 2006–2024, Habr