npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

electron-builder-ssl-com-esigner

v1.0.0

Published

Electron builder plugin to sign windows executables with SSL.com eSigner

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gergofgergof

Keywords

electronelectron-builderssl.comesignercodesign

Readme

electron-builder-ssl-com-esigner

NPM version TypeScript types License Build status

Electron Builder signing hook for Windows builds that uses SSL.com's eSigner CodeSignTool under the hood.

This package is intended for teams that build Electron apps with electron-builder and want to sign Windows artifacts with an SSL.com eSigner credential instead of a local certificate or custom signing script.

What it does

  • Integrates directly with Electron Builder through win.sign.
  • Uses SSL.com's Java-based CodeSignTool internally.
  • Reads signing credentials from environment variables.
  • Overrides any previous signature on the target file before applying the eSigner signature.
  • Works well in CI/CD where interactive certificate access is not practical.

Prerequisites

Before using this package, make sure all of the following are in place:

  • An active SSL.com eSigner-enabled code signing setup.
  • Your certificate is enrolled and usable from eSigner.
  • Java is installed and available on PATH.
  • A Windows Electron build configured through electron-builder.

Java is required because SSL.com's CodeSignTool, which this package invokes internally, is a Java application.

For SSL.com setup and enrollment, these guides are the relevant references:

Installation

npm install electron-builder-ssl-com-esigner

The package downloads SSL.com's eSigner tooling during installation.

Required environment variables

The signer reads its configuration from environment variables prefixed with SSL_COM_ESIGNER_.

| Variable | Required | Description | | --- | --- | --- | | SSL_COM_ESIGNER_CREDENTIAL_ID | Yes | SSL.com eSigner credential ID. Required in practice for deterministic CI configuration, and especially important if the account has more than one signing credential. | | SSL_COM_ESIGNER_USERNAME | Yes | SSL.com account username used by CodeSignTool. | | SSL_COM_ESIGNER_PASSWORD | Yes | SSL.com account password used by CodeSignTool. | | SSL_COM_ESIGNER_TOTP_SECRET | Yes | TOTP secret for automated signing. This is what allows non-interactive signing in CI/CD. | | SSL_COM_ESIGNER_DEBUG | No | Set to true to print verbose signer logs. |

Example:

export SSL_COM_ESIGNER_CREDENTIAL_ID="your-credential-id"
export SSL_COM_ESIGNER_USERNAME="your-sslcom-username"
export SSL_COM_ESIGNER_PASSWORD="your-sslcom-password"
export SSL_COM_ESIGNER_TOTP_SECRET="your-esigner-totp-secret"

Electron Builder integration

Configure Electron Builder to use this package as the Windows signer:

{
  "build": {
    "win": {
      "sign": "electron-builder-ssl-com-esigner",
      "signingHashAlgorithms": ["sha256"]
    }
  }
}

Or in electron-builder.yml:

win:
  sign: electron-builder-ssl-com-esigner
  signingHashAlgorithms:
    - sha256

win.sign must be set to "electron-builder-ssl-com-esigner" so Electron Builder delegates Windows signing to this library.

Important note about signingHashAlgorithms

Set signingHashAlgorithms to ["sha256"] only.

This signer does not use Electron Builder's configured hash algorithm list to drive the actual SSL.com signing operation. SSL.com's CodeSignTool determines the effective signing behavior itself. In other words, setting sha1, or attempting ["sha1", "sha256"], does not make this package produce the legacy dual-signing behavior you might expect from other Windows signing flows.

That means:

  • sha1 should not be used. It is deprecated.
  • The array should contain a single value: sha256.
  • Trying to force dual-signing or nested signatures here has no practical effect with this signer.
  • At best it creates confusion in the build config; at worst it can cause extra signing passes elsewhere in your pipeline and burn signing credits for no benefit.

Because SSL.com's CodeSignTool is already performing the signing step, you should avoid layering additional Windows signing steps on top of this plugin. Prevent double-signing and signature nesting in custom scripts, post-build hooks, or external CI stages.

How signing is invoked

This package executes SSL.com's CodeSignTool in override mode against each file Electron Builder asks it to sign.

In a standard Electron Builder Windows flow, the signer is typically invoked four times:

  1. Your packaged application executable
  2. elevate.exe
  3. The installer
  4. The uninstaller

As a result, one Windows build commonly consumes four SSL.com signing operations. If your SSL.com plan is credit-based, account for that in your usage and cost estimates.

Example CI usage

name: build

on:
  push:
    branches: [main]

jobs:
  build:
    runs-on: windows-latest
    env:
      SSL_COM_ESIGNER_CREDENTIAL_ID: ${{ secrets.SSL_COM_ESIGNER_CREDENTIAL_ID }}
      SSL_COM_ESIGNER_USERNAME: ${{ secrets.SSL_COM_ESIGNER_USERNAME }}
      SSL_COM_ESIGNER_PASSWORD: ${{ secrets.SSL_COM_ESIGNER_PASSWORD }}
      SSL_COM_ESIGNER_TOTP_SECRET: ${{ secrets.SSL_COM_ESIGNER_TOTP_SECRET }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 17
      - run: npm ci
      - run: npx electron-builder --win

Operational guidance

  • Keep the SSL.com credentials in CI secrets, not in checked-in config files.
  • Ensure Java is installed on every machine that performs signing.
  • Do not add a second signing pass with signtool or another Electron Builder hook.
  • If your build signs multiple targets or architectures, total signing consumption will increase accordingly.

Troubleshooting

Java not installed

Install Java and make sure java is available on PATH.

Missing eSigner tool

The package expects its post-install download step to complete successfully. Reinstall dependencies if the bundled eSigner files were not downloaded.

eSigner authentication or OTP failures

Verify:

  • The username and password are correct.
  • The credential ID matches the certificate you intend to use.
  • The TOTP secret is the correct one for that credential and account setup.

The signing step succeeds, but the file is not validly signed

Enable SSL_COM_ESIGNER_DEBUG=true and inspect the plugin output.

SSL.com's CodeSignTool does not reliably signal all failures through its process exit code alone. In practice, this package has to detect some failures by parsing stdout and stderr output. That detection is based on observed tool behavior and trial-and-error, so it may not catch every possible failure mode.

If you find a case where the signing step appears to succeed but the produced file still does not contain a valid signature, please open an issue on GitHub and include the debug logs. If there is another failure pattern that should be detected, it should be added to the plugin.

License

MIT