feat: code signing on windows (#380)

thewh1teagle · Nov 12, 2024 · ff020ae · ff020ae
1 parent 8654e0e
commit ff020ae
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 1 deletion.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -55,6 +55,20 @@ jobs:
             - name: Run pre_build.js on ${{ matrix.platform }}
               run: bun scripts/pre_build.js ${{ matrix.pre-build-args }}
 
+            - name: Import Windows certificate
+              if: matrix.platform == 'windows-latest'
+              env:
+                WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
+                WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+              run: |
+                # Import certificate
+                [IO.File]::WriteAllBytes('cert.pfx', [Convert]::FromBase64String($env:WINDOWS_CERTIFICATE))
+                Import-PfxCertificate -Exportable -FilePath "cert.pfx" -CertStoreLocation 'cert:\CurrentUser\My' -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)
+
+                # Sign resources
+                $signtoolPath = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\" -Filter "signtool.exe" -Recurse | Where-Object FullName -like "*\x64\signtool.exe" | Select-Object -First 1).FullName
+                &$signtoolPath sign /f cert.pfx /p 'Xypie50LRtyAHS' /tr http://timestamp.digicert.com /td sha256 /fd sha256 desktop\src-tauri\ffmpeg\bin\x64\*
+
             - name: Build
               uses: tauri-apps/tauri-action@v0
               env:

diff --git a/.gitignore b/.gitignore
@@ -26,4 +26,5 @@ node_modules/
 venv/
 *.bin
 *.onnx
+*.pfx
 *trace*.log
diff --git a/desktop/src-tauri/tauri.windows.conf.json b/desktop/src-tauri/tauri.windows.conf.json
@@ -3,7 +3,10 @@
         "windows": {
             "nsis": {
                 "installerHooks": "vc_redist.nsh"
-            }
+            },
+            "certificateThumbprint": "45DCFF335BB538C58489BD03BF167D29DDA53110",
+            "digestAlgorithm": "sha256",
+            "timestampUrl": "http://timestamp.digicert.com"
         },
         "resources": {
             "ffmpeg\\bin\\x64\\*": "./",

diff --git a/docs/BUILDING.md b/docs/BUILDING.md
@@ -257,3 +257,7 @@ gh cache delete -a
 
 -   Always update crates and lock in specific commit so it will be easy to revert!!
 -   Don't upgrade important crates such as tauri as long as it stable and works and there's no real need!!
+
+## Sign on Windows
+
+See [Self sign tauri on Windows](https://gist.github.com/thewh1teagle/06022cf1ec17a62949377a17c1b590bd)
-Original file line number
+Diff line change
@@ Expand Up / @@ -26,4 +26,5 @@ node_modules/ @@
     venv/
     *.bin
     *.onnx
+    *.pfx
     *trace*.log