Code Signing Certificates

ToDesktop supports custom code signing certificates for mac and windows. These are digital certificates that enable operating systems to verify the identity of the software publisher and ensure that the code has not been altered since it was signed.

Custom certificates are required for using ToDesktop plugins that require file system access, and are also generally preferred if you want to adopt the role of the software publisher for your app. To provide a custom certificate, navigate to "Releases" in ToDesktop Builder and click either of the plus icons in the "Certificates" section:

Clicking either of these buttons will redirect you to the web application where you can insert your certificate details.

# Mac Certificate and Notarization

Adding a certificate for Mac apps is an involved process that involves multiple toolchains. We'll list the set of steps below, but feel free to contact us at [email protected] if you're feeling overwhelmed:

1. Open XCode Preferences Window
2. Click on Accounts tab and sign in
3. Choose the correct team
4. Click on Manage Certificates

5. In the new window, from the left bottom dropdown you can create a new Developer ID certificate

6. From the certificate list, right click & Export

7. Choose a password and export the p12 file

8. Log into your ToDesktop dashboard
9. Go to Settings → Certificates → Upload Certificate

10. Upload your new cert file and password.
11. You may use your existing App-specific password or you can create a new one. If you wish to create a new one (or you don’t have access to your old one) then you can go to Apple's Developer site and choose the “App-Specific Passwords” option.

12. Click “Save Changes” on the ToDesktop dashboard and all of your future builds will now be signed with the new cert.

# Windows Certificates

On Windows, you can choose between a File or an EV certificate. Setting up an EV certificate is more expensive and involved, but will get you immediate “reputation”. This means that users of your desktop app will never be warned that your software is untrusted.

The steps below are for purchasing a certificate with GlobalSign. If using another provider (such as Digicert), please make sure that you purchase a certificate for deployment to a HSM (rather than a USB token).

1. Order the cert online with GlobalSign (make sure that you order code signing for HSM).

   1. Process is documented here: https://support.globalsign.com/code-signing/ordering-ev-code-signing-certificate-hsm-based
   2. Make note of your temporary password for later.

2. Go through the vetting process with Globalsign. This takes a couple of days and usually involves verifying company details.

3. Globalsign will send the certificate generation link.

   1. You will need the temporary password that was created earlier
   2. More details of this process are here: https://support.globalsign.com/code-signing/download-and-install-code-signing-certificate-hsm-based

4. You can now use ToDesktop to create a CSR will be used on the GlobalSign portal.

   1. Go to the Certificates settings page via the web app

      

   2. Scroll down to Windows certificate and choose “EV (GlobalSign)”

      1. You can skip the first few steps as you have already completed them.

      2. Choose “Generate Cert” and then click the “Generate CSR” button

         

      3. Now you can copy the CSR that ToDesktop has generated into the GlobalSign portal

         

      4. Finally, GlobalSign will provide you with a certificate file that you can upload to ToDesktop in the next step.

# Overwhelmed?

If you're feeling overwhelmed by the steps involved in either the Mac or Windows process, contact us at [email protected] and we'll help in every way we can.