diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cd68c3d..4f99192 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -123,9 +123,22 @@ jobs: libdbus-1-dev \ libssl-dev + - name: Install Azure Trusted Signing dlib + if: runner.os == 'Windows' + shell: pwsh + run: | + dotnet tool install --global AzureSignTool + nuget install Microsoft.Trusted.Signing.Client -Version 1.0.60 -OutputDirectory "${{ runner.temp }}\TrustedSigning" + $dlib = (Get-ChildItem -Path "${{ runner.temp }}\TrustedSigning" -Recurse -Filter "Azure.CodeSigning.Dlib.dll" | Where-Object { $_.DirectoryName -like "*x64*" }).FullName + echo "DLIB_PATH=$dlib" >> $env:GITHUB_ENV + - uses: tauri-apps/tauri-action@f650639e43adf15f35dd1023d248b3ecc3568b64 # action-v0.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Azure Trusted Signing (Windows) + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} # macOS code signing — tauri-action skips signing when these are empty. # To enable: add Apple Developer secrets in GitHub repo settings. # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} @@ -140,4 +153,4 @@ jobs: releaseBody: "See the assets to download this version and install ThreatForge." releaseDraft: true prerelease: false - args: ${{ matrix.settings.args }} + args: ${{ matrix.settings.args }} ${{ runner.os == 'Windows' && '--config src-tauri/tauri.signing.conf.json' || '' }} diff --git a/scripts/sign-windows.ps1 b/scripts/sign-windows.ps1 new file mode 100644 index 0000000..7647a01 --- /dev/null +++ b/scripts/sign-windows.ps1 @@ -0,0 +1,30 @@ +# Windows code signing via Azure Trusted Signing +# Called by Tauri during build — receives file path as the last argument +param( + [Parameter(Mandatory=$true, Position=0)] + [string]$FilePath +) + +$dlibPath = $env:DLIB_PATH +$metadataPath = Join-Path $PSScriptRoot ".." "src-tauri" "trusted-signing-metadata.json" + +if (-not $dlibPath) { + Write-Error "DLIB_PATH environment variable not set" + exit 1 +} + +if (-not (Test-Path $dlibPath)) { + Write-Error "Azure.CodeSigning.Dlib.dll not found at: $dlibPath" + exit 1 +} + +Write-Host "Signing: $FilePath" + +& signtool sign /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "$dlibPath" /dmdf "$metadataPath" "$FilePath" + +if ($LASTEXITCODE -ne 0) { + Write-Error "Signing failed for: $FilePath" + exit 1 +} + +Write-Host "Signed successfully: $FilePath" diff --git a/src-tauri/icons/icon.ico b/src-tauri/icons/icon.ico index f807f44..7835048 100644 Binary files a/src-tauri/icons/icon.ico and b/src-tauri/icons/icon.ico differ diff --git a/src-tauri/tauri.signing.conf.json b/src-tauri/tauri.signing.conf.json new file mode 100644 index 0000000..17b5e8d --- /dev/null +++ b/src-tauri/tauri.signing.conf.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://schema.tauri.app/config/2", + "bundle": { + "windows": { + "signCommand": "powershell -ExecutionPolicy Bypass -File \"scripts\\sign-windows.ps1\"" + } + } +} diff --git a/src-tauri/trusted-signing-metadata.json b/src-tauri/trusted-signing-metadata.json new file mode 100644 index 0000000..06d38a1 --- /dev/null +++ b/src-tauri/trusted-signing-metadata.json @@ -0,0 +1,5 @@ +{ + "Endpoint": "https://eus.codesigning.azure.net/", + "CodeSigningAccountName": "threatforge-signing", + "CertificateProfileName": "threatforge-public" +}