You’ve spent weeks, maybe months, crafting your dream Electron app. The UI looks clean, the features work flawlessly, and you finally hit that Build button.

Excited, you send the installer to your friend for testing. You’re expecting a “Wow, this is awesome!” Instead, you get: Windows protected your PC. Unknown Publisher.”

That bright blue SmartScreen warning slaps your beautiful app right across the face, making it appear like malware. Your friend hesitates, clicks “Don’t run,” and suddenly all your hard work looks sketchy.

This isn’t a bug. It’s not even a coding issue. It’s because your app isn’t code-signed.

Windows doesn’t trust unsigned software. Period. And that’s a problem for developers who want to look professional, gain user trust, and ensure smooth installations.

But don’t worry, fixing this is easier than you think.

I’ll walk you through the process of code signing your Electron app on Windows using Electron Builder, step by step.

What is Electron Builder?

The construction of your app is just half the battle. The actual headache begins as soon as you attempt to package it for users.

You want a professional look and a clean installer, and not a folder with a messy set of files that yell at you that it is a developer build.

That is precisely the place of Electron Builder.

Recommended: What is Electron Software Framework? How Electron Works? Pros, Cons and Use Cases

Imagine it as your own personal packaging assistant, someone who does all the boring, technical work, and you can create the amazing features.

Electron Builder will automatically convert your raw Electron project to an installable, cross-platform, and immediately usable .exe or .msi file on Windows (and even a cross-platform .dmg file on macOS should you ever find the need to cross-platform it).

It automatically supports code signing, which means you don’t have to fight with complex Windows tools, PowerShell commands, or confusing certificate settings.

Just configure it once… hit build… and Electron Builder does the magic packaging, signing, and preparing your app for the world to download.

Electron Builder helps you ship your app like a pro with confidence, trust, and zero hassle.

Why Code Signing Matters?

You spend hours building your Electron app, you package it beautifully, upload it for download, and within minutes… your inbox is flooded with messages like:  “Hey, Windows says your app might harm my PC. Is this safe?”

And that is the nightmare any developer has the first time he or she skips the code signature.

Code signing is not merely another feature that is nice to have. Your passport to your app. And it is what Windows (and your users) tells.

“This app is legit. It consists of a trusted developer, and it has not been altered or changed.”

In its absence, a window issue that tacky ‘Unknown Publisher warning‘ right in the face of your user. Your application immediately becomes suspicious. And, speaking the truth, users do not install suspicious applications.

None of the code signing = immediate trust problems. But when you do sign your code, everything changes.

• Windows recognises your identity.
• SmartScreen protection steps aside.
• Your users can just install your app without hesitation.

And suddenly… You look credible. You look professional. You look like a developer who means business.

Prerequisites

We need the following requirements before commencing:

• An Electron application (any simple app would be enough)
• System (physical or virtual) Windows 10 or Windows 11.
• Node.js (LS version suggested)
• npm is available in PATH
• Electron Builder is available all over the world or through npx.
• An authentic OV or EV code signing certificate of a trusted CA.
• USB token or HSM middleware is installed.
• Internet connection (to time-stamp it) Stable.

Token-based certificates are not recommended to implement code signing on macOS or Linux builds of Windows. Use Windows.

Recommended: How to Code Signing an Electron.js App for macOS?

Steps to Sign a Windows App in Electron Builder

Step 1: Purchase a Code Signing Certificate

You know that little blue tick you see next to verified accounts on social media? It instantly tells you:

“Yep, this person is real.” A code signing certificate does the same thing, but for your app. It’s your app’s verified badge, your way of telling Windows (and your users). “Hey, this software actually came from me, not some shady imposter on the internet.”

When your app is signed with one, Windows trusts it. Users trust it. And that dreaded “Unknown Publisher” message disappears.

Now, where do you get one? You can’t just generate it out of thin air (well, not a trusted one). You’ll need to buy it from a Certificate Authority (CA). These are trusted organisations that verify developers and issue legitimate certificates.

Note: The secret key is non-exportable. There will be no .pfx or .p12 file. Operation signing is carried out within secure hardware or operated HSM services.

Step 2: USB Token/HSM Middleware Installation

The middleware provided by the CA will have to be installed in order to enable Windows to access the code signing certificate.

USB Token:

• Insert the USB token into the system.
• Install the CA middleware and driver.
• Restart the system when necessary.

Physical or Cloud HSM:

• Install the client software given by the vendor.
• Enable authentication (PIN/credential/service account)
• Ensure the HSM connection is on.

Beforehand, make sure that the middleware service is running.

Recommended: Guide to Install SafeNet Client Software, Initiate and Reset eToken

Step 3: Check the Presence of the Certificate in Windows

Ensure that Windows identifies with the certificate and the key.

GUI Verification:

• Press Win + R
• Enter certmgr.msc
• Navigate to Personal → Certificates
• Ensure that the certificate of code signing is displayed.

Command-Line Verification:

certutil -store My

Confirm:

• Your organisation matches the certificate subject.
• Enhanced Key Usage has Code Signing.
• The status of the private key has been displayed as available.

In case the certificate is not displayed, revisit the middleware installation.

Step 4: Install and Validate Electron Builder

Install Electron Builder globally by running these commands:

npm install electron-builder -g

Or verify local usage:

npx electron-builder -version

Confirm Electron Builder is executed successfully and then moves on.

Step 5: Prepare the Electron Project for Signing

Make sure your Electron project is compiling and does not sign before switching on code signing.

Recommended checks:

• npm install is successful.
• Application is opened in development mode.
• Packaging does not make the packaging mistakes.

This is instead of simultaneous debugging and signing problems.

Step 6: Token-Based Signing Electron Builder Configurements

Defining the build configuration is done by opening the package.json file of your project.

Basic minimum setup:

{
"build": {
"appId": "com.yourcompany.yourapp",
"productName": "Your App Name",
"directories": {
"output": "dist"
},
"win": {
"target": "nsis",
"signingHashAlgorithms": ["sha256"]
}
}
}

Configuration Rules:

• Please do not specify certificateFile.
• Do not reference passwords.
• Do not hardcode secrets
• Electron Builder will automatically pick the certificate out of the Windows certificate store.

Step 7: Development and Signing of the Application

The command to be run: Windows Build, on the project root.

npx electron-builder --win

During this process:

• The Electron app is packed into Electron Builder.
• Implicitly called Windows signing APIs (signtool).
• The USB token or HSM implements the private key operation.
• A trusted time is used.

You may be prompted for:

• USB token PIN
• HSM authentication credentials.
• Disregard, do not interrupt the signing process.

Step 8: Check Signed Installer

Check the digital signature before distribution.

Run Command:

signtool verify /pa /v dist/YourApp Setup.exe

Verification Confirms:

• Signature validity
• Correct publisher identity
• Presence of timestamp

Installers should not be distributed without signatures or signed partially.

Common Issues and Troubleshooting

Certificate Not Detected

• Middleware not installed
• Token not inserted
• Not in the Personal store certificate.

No Signing Prompt Appearing

• The service middleware ceased.
• Wrong version of the token driver.

Timestamp Errors

• CA temporary outage of timestamping.
• Network restrictions

After correcting the problem, rebuild it again.

Best Practices Production Signing

• Use a dedicated machine for building.
• Restrict USB token access
• Avoid sharing token PINs
• Rotate before the certificates expire.
• Have a consistent signing identity.

Recommended: Key Management Best Practices to Avoid Cryptographic Failures

Summary

• The current Windows code signing is implemented with the help of a USB token or an HSM-based certificate.
• The design of the system does not export the private keys.
• Directly signing through the Windows Certificate Store is Electron Builder.
• PFX-based signing is no more.
• Both OV and EV reputation are organic through SmartScreen.

This tutorial represents a fully working, modern workflow for signing Windows Electron applications with Electron Builder.

Cheap Code Signing Certificates

Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.

Starting at Just $215.99/Year