Building Desktop Apps Out of Web Apps: Scaling Electron With Code Signing & CI/CD

Transcript

1. leomofthings.com/blog Builidng `Desktop App` Out of Web Applications SCALING ELECTRON

   APPS WITH CODE SIGNING & CROSS-PLATFORM CI/CD

2. Ayodele Aransiola Solutions Architect/Senior Developer Advocate ~ whoami

3. Electron can bridge your web application into a desktop-oriented app.

4. `The Common Story` You build an awesome app It’s wrapped

   with Electron (it works!). Distribution began. Apps can’t be opened

5. If you can build a web app, you’ve already built

   70% of an electron app

6. The /Architecture’ Security in Electron isn’t an afterthought; that’s the

   difference between an app and an exploit. contextIsolation: true nodeIntegration: false Validate IPC messages

7. leomofthings.com/blog ‘Engineering Challenges’ Signing Distribution Users seeing “Untrusted App” warnings

   and disallowing installation Building for multiple OSes reliably Automation Ensuring human error is reduced during realeases

8. What ‘Scaling’ Really Means Trust Automation Security If you lack

   the trust, users won’t install. Just like trust reduces your app installation count, security also makes your app lose it’s credibility in the market If some processes are not automated, teams slow down. Time to market is affected.

9. Code Signing: the what & the Why Code Signing =

   Digital Proof of Origin

10. Apple’s chain of `Trust Developer ID Application Developer ID Installer

    Certificate needed for distributed apps (.dmg) Certificate needed for .pkg packages } } } } App Notarization Apple scans & validates your build.
11. None
12. None
13. None

14. Windows: A different ball game Standard Certificate (.pfx) EV Certificate

    (USB token)

15. Handling EV `Token Problem: Cloud CIs can’t access USB tokens.

    Solution: Self-Hosted Runner → attach the token physically (on-prem) or Cloud Signing (DigiCert KeyLocker / SSL.com eSigner)

16. Sample Workflow file The most important security benefit is that

    your actual private key was never downloaded, seen, or exposed to the CI runner. It just asked Azure to perform the signing operation on its behalf.

17. CI/CD: one push = All builds Goals No manual signing

    Parallel builds for macOS & Windows Artifacts auto-uploaded leomofthings.com/blog

18. The gold `Catch Store certs as base64 in repo secrets.

    CI triggers on tag push (v1.0.0). Build, sign, notarize, and upload—fully automated.

19. Every push is a release candidate, every tag a signed

    product.

20. Building Trust at Scale Scaling isn’t about bigger codebases; it’s

    about smaller risks.

21. @leomofthings Thank You!` leomofthings.com/blog