Add github workflow option for trusted signing

tauri-apps · Nov 19, 2024 · 5893ef0 · 5893ef0
1 parent ad41906
commit 5893ef0
Showing 1 changed file with 74 additions and 1 deletion.
diff --git a/src/content/docs/distribute/Sign/windows.mdx b/src/content/docs/distribute/Sign/windows.mdx
@@ -317,7 +317,7 @@ You need to install [trusted-signing-cli](https://github.com/Levminer/trusted-si
      - `AZURE_CLIENT_SECRET`: The client secret of [App Registration](https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/#step-4-create-app-registration-user-credentials)
      - `AZURE_TENANT_ID`: The tenant ID of your Azure directory, you can also get this from your [App Registration](https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/#step-4-create-app-registration-user-credentials)
 
-3. ### Modify your `tauri.conf.json` file
+3. #### Modify your `tauri.conf.json` file
 
    - You can modify your `tauri.conf.json` or you can create a specific config file for Windows. Replace the URL and the certificate name with your own values.
 
@@ -336,3 +336,76 @@ You need to install [trusted-signing-cli](https://github.com/Levminer/trusted-si
    ```
 
   </Steps>
+
+### Alternative without `trusted-signing-cli` and using GitHub Actions
+
+If you use the GitHub action to build your Tauri app enable a separate action to prepare for the trusted signing tooling. This will install all the prerequisites and sign using a shell script.
+
+<Steps>
+
+1. #### Add trusted-signing prepare step to your workflow
+
+   - Add the following step to your workflow to prepare the trusted signing command
+     (installs the prerequisites mentioned above)
+     - `endpoint`: The endpoint of your Azure Trusted Signing instance
+     - `account_name`: The name of your Azure Trusted Signing account
+     - `profile_name`: The name of your Azure Trusted Singing profile_name
+     - `correlation_id`: An identifier to correlate the signing request in Azure logs
+
+   ```yaml
+   - name: Prepare for codesigning
+     uses: sandercox/trusted-signing
+     with:
+       endpoint: 'https://weu.codesigning.azure.net'
+       account_name: '<<TRUSTED_SIGNING_ACCOUNT_NAME>>'
+       profile_name: '<<TRUSTED_SIGNING_PROFILE_NAME>>'
+       correlation_id: 'github-codesign-test'
+     if: matrix.platform == 'windows-latest'
+   ```
+
+2. #### Modify tauri-action
+
+   - Modify the `tauri-action` to pass additional environment variables to authenticate
+     with the Azure Trusted Signing service.
+     - `AZURE_TENANT_ID`
+     - `AZURE_CLIENT_ID`
+     - `AZURE_CLIENT_SECRET`
+
+   ```yaml
+   - uses: tauri-apps/tauri-action@v0
+     env:
+       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+       # Windows codesigning with Azure Trusted Signing
+       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+       AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+
+     with:
+       tagName: app-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
+       releaseName: 'App v__VERSION__'
+       releaseBody: 'See the assets to download this version and install.'
+       releaseDraft: true
+       prerelease: false
+       args: ${{ matrix.args }}
+   ```
+
+3. #### Modify `tauri.conf.json` to use custom sign command
+
+   - Modify the `tauri.conf.json` to use the custom sign installed with the prepare step.
+
+   ```json title=tauri.conf.json
+   {
+     "bundle": {
+       "windows": {
+         "signCommand": "trusted-signing.cmd %1"
+       }
+     }
+   }
+   ```
+
+   You can also put this in `tauri.conf.prod.json` to only sign these on production builds. Make sure you update
+   the `args` in the `tauri-action` to use the correct configuration file. See [extending the configuration](/develop/configuration-files/#extending-the-configuration)
+   for more details.
+
+</Steps>