Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -123,9 +123,22 @@ jobs:
libdbus-1-dev \
libssl-dev

- name: Install Azure Trusted Signing dlib
if: runner.os == 'Windows'
shell: pwsh
run: |
dotnet tool install --global AzureSignTool
nuget install Microsoft.Trusted.Signing.Client -Version 1.0.60 -OutputDirectory "${{ runner.temp }}\TrustedSigning"
$dlib = (Get-ChildItem -Path "${{ runner.temp }}\TrustedSigning" -Recurse -Filter "Azure.CodeSigning.Dlib.dll" | Where-Object { $_.DirectoryName -like "*x64*" }).FullName
echo "DLIB_PATH=$dlib" >> $env:GITHUB_ENV

- uses: tauri-apps/tauri-action@f650639e43adf15f35dd1023d248b3ecc3568b64 # action-v0.6.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Azure Trusted Signing (Windows)
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
# macOS code signing — tauri-action skips signing when these are empty.
# To enable: add Apple Developer secrets in GitHub repo settings.
# APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
Expand All @@ -140,4 +153,4 @@ jobs:
releaseBody: "See the assets to download this version and install ThreatForge."
releaseDraft: true
prerelease: false
args: ${{ matrix.settings.args }}
args: ${{ matrix.settings.args }} ${{ runner.os == 'Windows' && '--config src-tauri/tauri.signing.conf.json' || '' }}
30 changes: 30 additions & 0 deletions scripts/sign-windows.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Windows code signing via Azure Trusted Signing
# Called by Tauri during build — receives file path as the last argument
param(
[Parameter(Mandatory=$true, Position=0)]
[string]$FilePath
)

$dlibPath = $env:DLIB_PATH
$metadataPath = Join-Path $PSScriptRoot ".." "src-tauri" "trusted-signing-metadata.json"

if (-not $dlibPath) {
Write-Error "DLIB_PATH environment variable not set"
exit 1
}

if (-not (Test-Path $dlibPath)) {
Write-Error "Azure.CodeSigning.Dlib.dll not found at: $dlibPath"
exit 1
}

Write-Host "Signing: $FilePath"

& signtool sign /v /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "$dlibPath" /dmdf "$metadataPath" "$FilePath"

if ($LASTEXITCODE -ne 0) {
Write-Error "Signing failed for: $FilePath"
exit 1
}

Write-Host "Signed successfully: $FilePath"
Binary file modified src-tauri/icons/icon.ico
Binary file not shown.
8 changes: 8 additions & 0 deletions src-tauri/tauri.signing.conf.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"$schema": "https://schema.tauri.app/config/2",
"bundle": {
"windows": {
"signCommand": "powershell -ExecutionPolicy Bypass -File \"scripts\\sign-windows.ps1\""
}
}
}
5 changes: 5 additions & 0 deletions src-tauri/trusted-signing-metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"Endpoint": "https://eus.codesigning.azure.net/",
"CodeSigningAccountName": "threatforge-signing",
"CertificateProfileName": "threatforge-public"
}