windowsmacosrustcode-signingtauri

Code Signing a Tauri application on Windows and MacOS


I've been developing an application over some time now that is based on Svelte and a .NET backend. The application is a webpage, that I also build as a Tauri application, so that the user is able to use it as a desktop application.

Personally, I am completely blank when it comes to signing applications, and I would appreciate a little help in regards to the process. The guides I find online seem to either be outdated, such as the official Tauri Code Signing documentation, use widely different methods, or they are using GitHub Actions, which I don't think I can use since the project is stored in Azure DevOps, and without a pipeline set up, I don't think I can use the secrets in there.

Currently, I do the work on my local application, push the code, merge it to another branch, publish it to an AKS cluster, update the pod, and the application is now running on the domain I use for testing. To build the Windows desktop application, I run "npm run tauri build" in the terminal to generate a .msi or .exe file, and do the same on Mac to generate a .dmg file. These files are then uploaded to a container in Azure Blob Storage. There is a button in my application that fetches these files through a URL directly to the file in the container, and the end user can then install the app.

Right now, the application is treated as a scary file by the OS, and I would therefor like to sign the application. I have ordered an EV Code Signing Certificate, and am looking to store it in Azure Key Vault. My distributor said I could use the same certificate for Code Signing on Mac as well, but is this true, as the Tauri documentation for Code Signing on MacOS explicitly describes that I need a certificate from the Apple Developmer Program?

And the bottom line of this post - how do I sign the application? Do I just need to set environment variables, build the app, and the Tauri builder signs it for me? Do I have to download a program to sign the file, or what is the best practice in my situation. The install file is packaged and uploaded to Blob Storage, and the web page gives a download link directly connected to that container and file.

Thank you in advance for any tips!


Solution

  • For anyone finding this post in the future, being unsure how to do it, just like I was, use Azure Sign Tool instead. Here is a link to a good guide from the certificate issuer I used:

    https://trustzone.com/knowledge-base/how-to-sign-files-with-azure-sign-tool/