Skip to content

Code Signing

Jump to bottom
Daniel Weck edited this page Apr 15, 2026 · 18 revisions

Extended Validation (EV) Code Signing Certificate

MacOS

TIPS:

  • xattr -l /Applications/Thorium.app + xattr -dr com.apple.quarantine /Applications/Thorium.app

  • security find-identity -v -p codesigning (security find-identity or security find-identity login.keychain, to troubleshoot: security list-keychains and security unlock-keychain ~/Library/Keychains/login.keychain (readline prompt) or security unlock-keychain -p "PASS" ~/Library/Keychains/login.keychain)

  • syspolicy_check distribution ./release/mac-arm64/Thorium.app ==> "App passed all pre-distribution checks and is ready for distribution."

  • spctl -a -vvv -t install ./release/mac-arm64/Thorium.app or spctl -a -vvv -t open --context context:primary-signature ./release/mac-arm64/Thorium.app ==> "./release/mac-arm64/Thorium.app: accepted ---- source=Notarized Developer ID ---- override=security disabled ---- origin=Developer ID Application: European Digital Reading Lab (327YA3JNGT)"

  • spctl -a -vvv -t install ./release/Thorium-3.4.0-arm64.dmg or spctl -a -vvv -t open --context context:primary-signature ./release/Thorium-3.4.0-arm64.dmg ==> "./release/Thorium-3.4.0-arm64.dmg: accepted ---- source=Unnotarized Developer ID ---- override=security disabled ---- origin=Developer ID Application: European Digital Reading Lab (327YA3JNGT)"

  • codesign -dv --verbose=4 ./release/mac-arm64/Thorium.app

  • codesign -dv --verbose=4 ./release/Thorium-3.4.0-arm64.dmg

  • https://developer.apple.com/account/resources/certificates/list

  • Shell ENV for Electron Builder (npm run package:mac): CSC_IDENTITY_AUTO_DISCOVERY (false), APPLEIDTEAM (327YA3JNGT), CSC_NAME (European Digital Reading Lab (327YA3JNGT)), APPLEID (developer email), APPLEIDPASS (Apple-generated ad-hoc password, or @keychain:xxx)

  • Notarization https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/scripts/notarize.js#L1-L18 and https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/package.json#L107-L123 and https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/package.json#L59

CI automation https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/

Windows

  • Electron Builder (npm run package:win) will not sign the generated Thorium.exe ( CSC_IDENTITY_AUTO_DISCOVERY is false), signtool.exe must be invoked separately as an additional manual build step https://github.com/edrlab/thorium-reader/blob/390356ea03cb10ce1fd8a34567fb5659bcf1e770/package.json#L53-L54
  • https://secure.ssl.com/user_session/new
  • Hardware Token (USB-A) contains private key https://www.yubico.com/products/yubikey-fips/
  • USB token must be unlocked using PIN https://www.ssl.com/how-to/access-your-yubikey-fips-pin-and-puk/
  • Software app to manage certificates etc. (optional): https://www.ssl.com/ssl-manager/
  • signtool.exe instructions: https://www.ssl.com/how-to/using-your-code-signing-certificate/
  • "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\arm64\signtool.exe"
  • Note that this procedure has been tested on a Windows 10 Pro VirtualBox Virtual Machine. The USB device is initially acquired by the host MacOS, so it is initially “busy” and cannot be used from the VM guest WindowsOS. Solution: add a USB “filter” in VirtualBox (easy via the USB menu).
  • "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\arm64\signtool.exe" sign /fd sha256 /tr http://ts.ssl.com /td sha256 /a /n "European Digital Reading Lab" "C:\Users\ME\PATH\TO\Thorium.Setup.1.7.3.exe" => Done Adding Additional Store - Successfully signed (Windows11ARM64: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\arm64\signtool.exe" sign /fd sha256 /tr http://ts.ssl.com /td sha256 /a /n "European Digital Reading Lab" PATH_TO_EXE)
  • GlobalSign example: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\arm64\signtool.exe" sign /fd SHA256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /sha1 "xxx" "C:\Users\danie\Downloads\Thorium.Setup.1.7.3.exe" OR "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\arm64\signtool.exe" sign /fd SHA256 /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /a /n "US FUND FOR DAISY" "C:\Users\danie\Downloads\Thorium.Setup.1.7.3.exe"
  • VERIFY: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\arm64\signtool.exe" verify /v /pa "C:\Users\danie\Downloads\Thorium.Setup.1.7.3.exe" (Windows11ARM64: "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\arm64\signtool.exe" verify /v /pa PATH_TO_EXE)

Linux

  • N/A

Clone this wiki locally