Tauri Code Signing Skill
This skill provides comprehensive guidance for code signing Tauri applications across all supported platforms.
Platform Overview
| Platform | Requirement | Certificate Type |
|---|
| Android | Required for Play Store | Java Keystore (JKS) |
| iOS | Required for distribution | Apple Developer Certificate |
| Linux | Optional (enhances trust) | GPG Key |
| macOS | Required for distribution | Developer ID / Apple Distribution |
| Windows | Required (SmartScreen) | OV or EV Certificate |
Android Signing
Generate Keystore
macOS/Linux:
bash
keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload
Windows:
powershell
keytool -genkey -v -keystore $env:USERPROFILE\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload
Configuration File
Create
src-tauri/gen/android/keystore.properties
:
properties
password=<your-password>
keyAlias=upload
storeFile=/path/to/upload-keystore.jks
IMPORTANT: Never commit
to version control.
Gradle Configuration
Modify
src-tauri/gen/android/app/build.gradle.kts
:
kotlin
import java.io.FileInputStream
// Add before android { } block
val keystorePropertiesFile = rootProject.file("keystore.properties")
val keystoreProperties = java.util.Properties()
if (keystorePropertiesFile.exists()) {
keystoreProperties.load(FileInputStream(keystorePropertiesFile))
}
android {
// ... existing config ...
signingConfigs {
create("release") {
keyAlias = keystoreProperties["keyAlias"] as String
keyPassword = keystoreProperties["password"] as String
storeFile = file(keystoreProperties["storeFile"] as String)
storePassword = keystoreProperties["password"] as String
}
}
buildTypes {
release {
signingConfig = signingConfigs.getByName("release")
// ... other release config ...
}
}
}
CI/CD Environment Variables
| Variable | Description |
|---|
| Key alias (e.g., ) |
| Keystore password |
| Base64-encoded keystore file |
GitHub Actions Example:
yaml
- name: Setup Android signing
run: |
cd src-tauri/gen/android
echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
echo "password=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties
iOS Signing
Prerequisites
- Apple Developer Program enrollment ($99/year)
- Bundle identifier registered in App Store Connect
- iOS code signing certificate
- Mobile provisioning profile
Automatic Signing (Recommended)
For local development, authenticate through Xcode Settings > Accounts.
For CI/CD, create an App Store Connect API key and set:
| Variable | Description |
|---|
| Issuer ID from App Store Connect |
| Key ID from App Store Connect |
| Path to the private key file |
Manual Signing
| Variable | Description |
|---|
| Base64-encoded certificate |
| Password used when exporting certificate |
| Base64-encoded provisioning profile |
Certificate Types by Distribution Method
| Distribution | Certificate Type |
|---|
| Debugging | Apple Development or iOS App Development |
| App Store | Apple Distribution or iOS Distribution |
| Ad Hoc | Apple Distribution or iOS Distribution |
Export Certificate
- Open Keychain Access
- Find your certificate
- Right-click the private key
- Select "Export" and save as
- Convert to base64:
base64 -i certificate.p12
Create Provisioning Profile
- Register App ID with matching bundle identifier
- Create provisioning profile for your distribution method
- Link certificate to profile
- Download and convert:
base64 -i profile.mobileprovision
Linux Signing (AppImage)
Generate GPG Key
Back up the key securely.
Environment Variables
| Variable | Description |
|---|
| Set to to enable signing |
| GPG Key ID (optional, uses default if not set) |
APPIMAGETOOL_SIGN_PASSPHRASE
| Key password (required for CI/CD) |
| Set to to fail build on signing error |
Build with Signing
bash
SIGN=1 APPIMAGETOOL_SIGN_PASSPHRASE="your-passphrase" npm run tauri build
View Embedded Signature
bash
./src-tauri/target/release/bundle/appimage/app_version_amd64.AppImage --appimage-signature
Validate Signature
Download the validate tool from
AppImageUpdate releases:
bash
chmod +x validate-x86_64.AppImage
./validate-x86_64.AppImage your-app.AppImage
Note: AppImage does not auto-validate signatures. Users must manually verify.
macOS Signing and Notarization
Prerequisites
- Apple Developer Program enrollment ($99/year)
- Mac computer for code signing
- Free accounts cannot notarize applications
Certificate Types
| Certificate | Use Case |
|---|
| Apple Distribution | App Store submissions |
| Developer ID Application | Distribution outside App Store |
Create Certificate
- Generate Certificate Signing Request (CSR) from Keychain Access
- Upload CSR at Apple Developer > Certificates, IDs & Profiles
- Download and double-click to install
Configuration
tauri.conf.json:
json
{
"bundle": {
"macOS": {
"signingIdentity": "Developer ID Application: Your Name (TEAM_ID)"
}
}
}
Environment Variables for CI/CD
Certificate Variables:
| Variable | Description |
|---|
| Base64-encoded certificate |
APPLE_CERTIFICATE_PASSWORD
| Password for exported certificate |
| Certificate name in keychain |
Notarization - Option 1: App Store Connect API (Recommended):
| Variable | Description |
|---|
| Issuer ID |
| Key ID |
| Path to private key |
Notarization - Option 2: Apple ID:
| Variable | Description |
|---|
| Apple ID email |
| App-specific password |
| Team identifier |
Export Certificate for CI/CD
bash
# Export from Keychain as .p12, then:
base64 -i certificate.p12 | pbcopy
Ad-Hoc Signing (Testing Only)
For unsigned distribution or testing without Apple credentials:
json
{
"bundle": {
"macOS": {
"signingIdentity": "-"
}
}
}
GitHub Actions Example
yaml
- name: Import certificate
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p actions temp.keychain
security import certificate.p12 -k temp.keychain -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign
security list-keychains -s temp.keychain
security unlock-keychain -p actions temp.keychain
security set-key-partition-list -S apple-tool:,apple: -s -k actions temp.keychain
Windows Signing
Certificate Types
| Type | SmartScreen | Availability |
|---|
| OV (Organization Validated) | Builds reputation over time | Before June 1, 2023 |
| EV (Extended Validation) | Immediate trust | Required after June 1, 2023 |
Note: Certificates obtained after June 1, 2023 require EV certificates for immediate SmartScreen trust.
Configuration
tauri.conf.json:
json
{
"bundle": {
"windows": {
"certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
"digestAlgorithm": "sha256",
"timestampUrl": "http://timestamp.sectigo.com"
}
}
}
Find Certificate Thumbprint
- Open certificate details
- Go to Details tab
- Find "Thumbprint" field
- Copy the hex string (remove spaces)
Common Timestamp URLs
http://timestamp.sectigo.com
http://timestamp.digicert.com
http://timestamp.globalsign.com
Convert Certificate to PFX
bash
openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx
Environment Variables for CI/CD
| Variable | Description |
|---|
| Base64-encoded file |
WINDOWS_CERTIFICATE_PASSWORD
| PFX export password |
GitHub Actions Example
yaml
- name: Import Windows certificate
env:
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
run: |
echo "$WINDOWS_CERTIFICATE" | base64 --decode > certificate.pfx
Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force)
shell: pwsh
Azure Key Vault Signing
For cloud-based signing with Azure Key Vault:
| Variable | Description |
|---|
| Azure AD application client ID |
| Azure AD application secret |
| Azure AD tenant ID |
json
{
"bundle": {
"windows": {
"signCommand": "relic sign --key azurekeyvault --file %1"
}
}
}
Azure Trusted Signing
For Azure Code Signing service:
json
{
"bundle": {
"windows": {
"signCommand": "trusted-signing-cli -e <endpoint> -a <account> -c <profile> %1"
}
}
}
Custom Sign Command
For other signing tools or cross-platform builds:
json
{
"bundle": {
"windows": {
"signCommand": "your-signing-tool --sign %1"
}
}
}
The
placeholder is replaced with the executable path.
Quick Reference: All Environment Variables
Android
iOS (Manual)
iOS/macOS (API Key)
macOS (Certificate)
APPLE_CERTIFICATE_PASSWORD
macOS (Apple ID Notarization)
Linux
APPIMAGETOOL_SIGN_PASSPHRASE
Windows
WINDOWS_CERTIFICATE_PASSWORD
Azure (Windows)