How to Code Signing an Electron.js App for macOS?
Why Code Signing Isn’t Optional?
If you’ve ever tried running an unsigned app on macOS, you already know how brutal the experience is. You double-click your .app file, and that dreaded message appears: “This app can’t be opened because it’s from an unidentified developer.”
And that’s it. Your user instantly loses trust. Your credibility? Gone.
Buy Apple Code Signing Certificate and Sign iOS or MacOs Apps
That warning isn’t just a random pop-up. It’s Apple’s way of protecting users from unverified software that hasn’t been proven to be from a trusted source, or what it might do.
That’s where code signing comes in. Code signing is Apple’s way of saying, “Yes, this app is safe. Yes, it came from a verified developer. And no, it hasn’t been tampered with.”
Let’s break down why skipping code signing on macOS is a disaster waiting to happen:
Prevent Scary Warnings
The Gatekeeper, which is the built-in security of macOS, is activated by the use of apps that are not signed. Lack of a signature means that your application gets a threatening message from an unidentified developer. And, by the way, 99 per cent of the users will not open it anyway. They’ll delete your app.
Security Standards Gatekeeper at Apple
The Gatekeeper of Apple will verify the signature of each app prior to it being run. Unless your application is signed or notarised, it is automatically flagged.
By signing your code, you will be part of the Apple security ecosystem and not in conflict with it.
Protect Against Tampering or Malware Injection
When you sign your app, macOS locks it down with a cryptographic seal. That means if anyone tries to modify your files after signing, even a single byte, the system will instantly detect it and block execution.
Build Instant Trust with Users
Users feel safer when they see “Verified Developer” or no warning at all. It’s like the blue checkmark of macOS apps, a visual cue that screams credibility.
Understanding Apple’s Security
Gatekeeper and Notarization are Apple’s twin guardians that decide whether your app deserves to live on a Mac.
Gatekeeper
He checks your app’s credentials specifically, its digital signature, and asks one question: “Can I trust this developer?”
If your app is code signed, Gatekeeper nods and lets it in without fuss. If not? You’re turned away at the door with the dreaded message: “App can’t be opened because it’s from an unidentified developer.”
That single pop-up is enough to kill user confidence because it tells them, “This app might not be safe.”
Recommended: Apple has Officially Stopped Signing iOS 18.5 & 17.7
Apple’s Notarization
Simply uttering your application is reliable does not make Apple believe you. It is there that Notarization comes in, and the further security checks of Apple. It’s not about who you are. It is concerning what is inside your app.
When you submit your app to be notarised, you are essentially sending it to the servers of Apple, which do a fast malware check of your app. Apple scans it and makes sure it is clean, and adds a digital ticket known as notarization.
Choosing the Right Developer Certificate
Apple doesn’t offer just one certificate. It offers two different types, and choosing the wrong one can make your signing process a nightmare.
Developer ID Application Certificate
This is your go-to certificate if you plan to distribute your Electron app outside the Mac App Store, maybe on your website, GitHub releases, or through direct downloads.
Mac App Store Certificates
These certificates are designed specifically for apps that you distribute through the Mac App Store.
There are two flavours here:
- Mac App Development Certificate → For testing and debugging during development.
- Mac App Distribution Certificate → For submitting your final app to the Mac App Store.
Also Read: How to Code Sign iOS Apps on Apple Developer Program?
6 Steps to Signing an Electron.js App for macOS
Step 1: Enroll in the Apple Developer Program
Before you can sign anything, notarise anything, or even whisper the words “macOS distribution”, Apple needs to know who you are. And no, just having a Mac or an Apple ID isn’t enough. You need to officially join the Apple Developer Program.
How to Enroll:
- Visit the Apple Developer Program page. This is where it all begins. Apple gives you access to certificates, signing tools, TestFlight, and more.
- Sign in with your Apple ID. If you don’t have one yet, create one. It’s free and quick.
- Enrol in the program and pay the annual $99 fee. That’s right $99 per year for official Apple recognition.
Step 2: Generate Your Code Signing Certificate
This is the digital signature that proves to macOS, “Hey, this app really came from you.” And the best part? You can get it in two simple ways.
Method 1: The Xcode Way
If you’re using macOS (which you should be for signing), Apple makes it super simple through Xcode.
Here’s how:
- Open Xcode on your Mac.
- Go to Xcode → Settings (or Preferences) → Accounts.
- Add your Apple ID if you haven’t already.
- Select your developer team.
- Click Manage Certificates.
- Hit the “+” button → Choose Developer ID Application Certificate.
Xcode automatically requests and installs your certificate for you.
Recommended: Troubleshooting Common Code Signing Issues in Xcode 14 & 15
Method 2: The Apple Developer Portal
Prefer the manual route? Here’s how to do it directly from the web:
- Visit Apple’s Certificates, Identifiers & Profiles
- Click the “+” button to create a new certificate.
- Choose Developer ID Application as your certificate type.
- Follow the on-screen steps to upload your CSR.
- Download the generated certificate.
- Install it by double-clicking it, and it’ll show up in your Mac’s Keychain Access.
Step 3: Set Up Your Electron.js Project for macOS Signing
Install electron-builder by running this command
npm install electron-builder --save-devWire up your build script
Add a script to package.json so you can build with one command:
{
"scripts": {
"build": "electron-builder --mac"
}
}Add macOS build config
You can keep it in package.json under “build” or in electron-builder.yml. Use whichever you prefer.
Option A — package.json config
{
"name": "my-electron-app",
"version": "1.0.0",
"build": {
"appId": "com.example.myapp",
"productName": "MyElectronApp",
"files": [
"dist/**/*",
"node_modules/**/*",
"main.js",
"package.json"
],
"mac": {
"target": ["dmg", "zip"],
"category": "public.app-category.utilities",
"icon": "build/icon.icns",
"hardenedRuntime": true,
"entitlements": "build/entitlements.mac.plist",
"entitlementsInherit": "build/entitlements.mac.plist",
"identity": "Developer ID Application: Your Name (TEAMID)"
},
"afterSign": "scripts/notarize.js"
}
}Option B — electron-builder.yml
appId: com.example.myapp
productName: MyElectronApp
files:
- dist/**
- node_modules/**
- main.js
- package.json
mac:
target:
- dmg
- zip
category: public.app-category.utilities
icon: build/icon.icns
hardenedRuntime: true
entitlements: build/entitlements.mac.plist
entitlementsInherit: build/entitlements.mac.plist
identity: Developer ID Application: Your Name (TEAMID)
afterSign: scripts/notarize.jsStep 4: Sign Your App
Electron apps can be signed using electron-builder or manually via codesign:
Using electron-builder
If your certificate is installed and your config is set, this is all you need:
npm run buildStep 5: Have Your Application Notarised
MacOS does not consider your Electron app to be entirely safe until you have signed it and it is notarized. It is a kind of background check at Apple.
You submit your app to them, they scan it and check it to make sure that there is nothing suspicious, and in case all seems well, they nod their heads in silent approval.
First, you bundle up your app:
cd /path/to/your/app/
zip -r MyElectronApp.zip MyElectronApp.appThen you send it off to Apple’s servers for review:
xcrun altool --notarize-app \
--primary-bundle-id "com.example.myapp" \
--username "[email protected]" \
--password "your-app-specific-password" \
--file MyElectronApp.zipThat password isn’t your Apple login. It’s an app-specific password you create in your Apple ID settings. Apple won’t tell you instantly whether you passed; it takes a bit.
You can check the status like this:
xcrun altool --notarization-info <RequestUUID> \
--username "[email protected]" \
--password "your-app-specific-password"If all goes well, Apple gives your app a notarization ticket, basically a proof of inspection. You “staple” that ticket to your app so it always travels with it:
xcrun stapler staple /path/to/your/app/MyElectronApp.appThat last command feels almost ceremonial. After stapling, your app is truly ready to face macOS users, no more warnings, no more “unidentified developer” screens.
Recommended: Step-wise Guide: Token-Based JAR Signing in MAC OS X Environments
Step 6: Test Your Application
- Install your signed app on a macOS system. This is your real-world test. If everything went right, macOS will recognise your app as safe and trusted.
- Open the app. No scary red warnings. No “This app can’t be opened” pop-ups. Just a clean, professional launch, the kind that instantly builds trust with users.
- Run through the features. Click every button. Open every window. Push it like a real user would. You’re not just testing functionality, you’re testing confidence.
Apple/iOS Code Signing
Digitally Sign your iOS / Mac Application with Reputed Apple Code Signing Certificate and Prevent Tampering.
Buy Apple Code Signing Certificate
