signing-tauri-apps

📁 beshkenadze/claude-code-tauri-skills 📅 14 days ago

总安装量

周安装量

#48657

全站排名

安装命令

npx skills add https://github.com/beshkenadze/claude-code-tauri-skills --skill signing-tauri-apps

Agent 安装分布

cursor 1

codex 1

claude-code 1

gemini-cli 1

Skill 文档

Tauri Code Signing Skill

This skill provides comprehensive guidance for code signing Tauri applications across all supported platforms.

Platform Overview

Platform	Requirement	Certificate Type
Android	Required for Play Store	Java Keystore (JKS)
iOS	Required for distribution	Apple Developer Certificate
Linux	Optional (enhances trust)	GPG Key
macOS	Required for distribution	Developer ID / Apple Distribution
Windows	Required (SmartScreen)	OV or EV Certificate

Android Signing

Generate Keystore

macOS/Linux:

keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload

Windows:

keytool -genkey -v -keystore $env:USERPROFILE\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload

Configuration File

Create src-tauri/gen/android/keystore.properties:

password=<your-password>
keyAlias=upload
storeFile=/path/to/upload-keystore.jks

IMPORTANT: Never commit keystore.properties to version control.

Gradle Configuration

Modify src-tauri/gen/android/app/build.gradle.kts:

import java.io.FileInputStream

// Add before android { } block
val keystorePropertiesFile = rootProject.file("keystore.properties")
val keystoreProperties = java.util.Properties()
if (keystorePropertiesFile.exists()) {
    keystoreProperties.load(FileInputStream(keystorePropertiesFile))
}

android {
    // ... existing config ...

    signingConfigs {
        create("release") {
            keyAlias = keystoreProperties["keyAlias"] as String
            keyPassword = keystoreProperties["password"] as String
            storeFile = file(keystoreProperties["storeFile"] as String)
            storePassword = keystoreProperties["password"] as String
        }
    }

    buildTypes {
        release {
            signingConfig = signingConfigs.getByName("release")
            // ... other release config ...
        }
    }
}

CI/CD Environment Variables

Variable	Description
`ANDROID_KEY_ALIAS`	Key alias (e.g., `upload`)
`ANDROID_KEY_PASSWORD`	Keystore password
`ANDROID_KEY_BASE64`	Base64-encoded keystore file

GitHub Actions Example:

- name: Setup Android signing
  run: |
    cd src-tauri/gen/android
    echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
    echo "password=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
    base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
    echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties

iOS Signing

Prerequisites

Apple Developer Program enrollment ($99/year)
Bundle identifier registered in App Store Connect
iOS code signing certificate
Mobile provisioning profile

Automatic Signing (Recommended)

For local development, authenticate through Xcode Settings > Accounts.

For CI/CD, create an App Store Connect API key and set:

Variable	Description
`APPLE_API_ISSUER`	Issuer ID from App Store Connect
`APPLE_API_KEY`	Key ID from App Store Connect
`APPLE_API_KEY_PATH`	Path to the `.p8` private key file

Manual Signing

Variable	Description
`IOS_CERTIFICATE`	Base64-encoded `.p12` certificate
`IOS_CERTIFICATE_PASSWORD`	Password used when exporting certificate
`IOS_MOBILE_PROVISION`	Base64-encoded provisioning profile

Certificate Types by Distribution Method

Distribution	Certificate Type
Debugging	Apple Development or iOS App Development
App Store	Apple Distribution or iOS Distribution
Ad Hoc	Apple Distribution or iOS Distribution

Export Certificate

Open Keychain Access
Find your certificate
Right-click the private key
Select “Export” and save as .p12
Convert to base64: base64 -i certificate.p12

Create Provisioning Profile

Register App ID with matching bundle identifier
Create provisioning profile for your distribution method
Link certificate to profile
Download and convert: base64 -i profile.mobileprovision

Linux Signing (AppImage)

Generate GPG Key

gpg2 --full-gen-key

Back up the key securely.

Environment Variables

Variable	Description
`SIGN`	Set to `1` to enable signing
`SIGN_KEY`	GPG Key ID (optional, uses default if not set)
`APPIMAGETOOL_SIGN_PASSPHRASE`	Key password (required for CI/CD)
`APPIMAGETOOL_FORCE_SIGN`	Set to `1` to fail build on signing error

Build with Signing

SIGN=1 APPIMAGETOOL_SIGN_PASSPHRASE="your-passphrase" npm run tauri build

View Embedded Signature

./src-tauri/target/release/bundle/appimage/app_version_amd64.AppImage --appimage-signature

Validate Signature

Download the validate tool from AppImageUpdate releases:

chmod +x validate-x86_64.AppImage
./validate-x86_64.AppImage your-app.AppImage

Note: AppImage does not auto-validate signatures. Users must manually verify.

macOS Signing and Notarization

Prerequisites

Apple Developer Program enrollment ($99/year)
Mac computer for code signing
Free accounts cannot notarize applications

Certificate Types

Certificate	Use Case
Apple Distribution	App Store submissions
Developer ID Application	Distribution outside App Store

Create Certificate

Generate Certificate Signing Request (CSR) from Keychain Access
Upload CSR at Apple Developer > Certificates, IDs & Profiles
Download and double-click .cer to install

Configuration

tauri.conf.json:

{
  "bundle": {
    "macOS": {
      "signingIdentity": "Developer ID Application: Your Name (TEAM_ID)"
    }
  }
}

Environment Variables for CI/CD

Certificate Variables:

Variable	Description
`APPLE_CERTIFICATE`	Base64-encoded `.p12` certificate
`APPLE_CERTIFICATE_PASSWORD`	Password for exported certificate
`APPLE_SIGNING_IDENTITY`	Certificate name in keychain

Notarization – Option 1: App Store Connect API (Recommended):

Variable	Description
`APPLE_API_ISSUER`	Issuer ID
`APPLE_API_KEY`	Key ID
`APPLE_API_KEY_PATH`	Path to `.p8` private key

Notarization – Option 2: Apple ID:

Variable	Description
`APPLE_ID`	Apple ID email
`APPLE_PASSWORD`	App-specific password
`APPLE_TEAM_ID`	Team identifier

Export Certificate for CI/CD

# Export from Keychain as .p12, then:
base64 -i certificate.p12 | pbcopy

Ad-Hoc Signing (Testing Only)

For unsigned distribution or testing without Apple credentials:

{
  "bundle": {
    "macOS": {
      "signingIdentity": "-"
    }
  }
}

GitHub Actions Example

- name: Import certificate
  env:
    APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
    APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
  run: |
    echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
    security create-keychain -p actions temp.keychain
    security import certificate.p12 -k temp.keychain -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign
    security list-keychains -s temp.keychain
    security unlock-keychain -p actions temp.keychain
    security set-key-partition-list -S apple-tool:,apple: -s -k actions temp.keychain

Windows Signing

Certificate Types

Type	SmartScreen	Availability
OV (Organization Validated)	Builds reputation over time	Before June 1, 2023
EV (Extended Validation)	Immediate trust	Required after June 1, 2023

Note: Certificates obtained after June 1, 2023 require EV certificates for immediate SmartScreen trust.

Configuration

tauri.conf.json:

{
  "bundle": {
    "windows": {
      "certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
      "digestAlgorithm": "sha256",
      "timestampUrl": "http://timestamp.sectigo.com"
    }
  }
}

Find Certificate Thumbprint

Open certificate details
Go to Details tab
Find “Thumbprint” field
Copy the hex string (remove spaces)

Common Timestamp URLs

http://timestamp.sectigo.com
http://timestamp.digicert.com
http://timestamp.globalsign.com

Convert Certificate to PFX

openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx

Environment Variables for CI/CD

Variable	Description
`WINDOWS_CERTIFICATE`	Base64-encoded `.pfx` file
`WINDOWS_CERTIFICATE_PASSWORD`	PFX export password

GitHub Actions Example

- name: Import Windows certificate
  env:
    WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
    WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
  run: |
    echo "$WINDOWS_CERTIFICATE" | base64 --decode > certificate.pfx
    Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force)
  shell: pwsh

Azure Key Vault Signing

For cloud-based signing with Azure Key Vault:

Variable	Description
`AZURE_CLIENT_ID`	Azure AD application client ID
`AZURE_CLIENT_SECRET`	Azure AD application secret
`AZURE_TENANT_ID`	Azure AD tenant ID

Configure in tauri.conf.json:

{
  "bundle": {
    "windows": {
      "signCommand": "relic sign --key azurekeyvault --file %1"
    }
  }
}

Azure Trusted Signing

For Azure Code Signing service:

{
  "bundle": {
    "windows": {
      "signCommand": "trusted-signing-cli -e <endpoint> -a <account> -c <profile> %1"
    }
  }
}

Custom Sign Command

For other signing tools or cross-platform builds:

{
  "bundle": {
    "windows": {
      "signCommand": "your-signing-tool --sign %1"
    }
  }
}

The %1 placeholder is replaced with the executable path.

Quick Reference: All Environment Variables

Android

ANDROID_KEY_ALIAS
ANDROID_KEY_PASSWORD
ANDROID_KEY_BASE64

iOS (Manual)

IOS_CERTIFICATE
IOS_CERTIFICATE_PASSWORD
IOS_MOBILE_PROVISION

iOS/macOS (API Key)

APPLE_API_ISSUER
APPLE_API_KEY
APPLE_API_KEY_PATH

macOS (Certificate)

APPLE_CERTIFICATE
APPLE_CERTIFICATE_PASSWORD
APPLE_SIGNING_IDENTITY

macOS (Apple ID Notarization)

APPLE_ID
APPLE_PASSWORD
APPLE_TEAM_ID

Linux

SIGN
SIGN_KEY
APPIMAGETOOL_SIGN_PASSPHRASE
APPIMAGETOOL_FORCE_SIGN

Windows

WINDOWS_CERTIFICATE
WINDOWS_CERTIFICATE_PASSWORD

Azure (Windows)

AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台