feat(bundler): add support for EV codesigning certs via azuresigntool #8718
Conversation
|
due to the complexity of the azuresigntool package, I removed it from the binary and it'll need to currently be preinstalled on the host machine. With GitHub runners, this should be possible by running |
tr3ysmith
changed the title
|
@lucasfernog should we bump the rust min version on the main crate too? I had to bump it to 1.72 on the CLI crate because of the dependency for jsonschema -> aHash (aHash requires 1.72) |
There was a problem hiding this comment.
I am not sure if we should support azuresigntool tbh since it is not an official tool (correct me if I am wrong), should we instead provide a generic option to specify a signing command, similar to this https://github.com/crabnebula-dev/cargo-packager/blob/ec1a3a12296275341fd59c083d98202de316805f/crates/packager/src/config/mod.rs#L1206-L1214?
|
@amrbashir do I need to do anything to fix the clippy workflow failure? |
|
if you want, that would be appreciated, otherwise we can fix it in another PR |
|
cc @lucasfernog about #8718 (review) |
It gets complicated when you think about how complicated it is to sign a Windows app.. we need a better solution, and this might be one (I still didn't run through it yet, hopefully when I get back from vacation). |
Yeah we should.. we need to do a better job on the msrv for the CLI |
@lucasfernog @amrbashir should we then bump both the CLI and Core, or just CLI? |
I think we should do it in another PR, since it looks to be completely unrelated to this change |
|
that's ok we can do that separately |
|
@lucasfernog MSRV for cli is updated |
+1. We just got our new digicert token and it would be nice to be able to just call our own signing script. Otherwise, I could see this just growing and growing to accommodate the dozens of signing approaches. |
|
I agree, @tr3ysmith would a generic command work for you as well? |
Refs #3230 It looks like we need to sign the internal exe before it gets bundled too. We can use `beforeBundleCommand` to do so. Soon, Tauri should have native support for this exact scenario: tauri-apps/tauri#8718
|
@amrbashir sorry ya'll. I've had some crazy life stuff pop up. Yes a generic command would work for me as long as I can pass all the required arguments through via the tauri-action. I can work on that here in the next few days. |
|
thanks @tr3ysmith hope you're doing great, let me know if I can help with anything |
|
Hi @tr3ysmith I have opened #9865 to implement the custom signing command, gonna close this PR now in favor of that one. Thanks for your contributions |
|
@amrbashir no problem, is this something that'll get merge into 1.x at all? |
|
there is a PR to backport it in #9902 |
This feature adds support for EV code signing via azuresigntool.exe. The original method using using signtool.exe still works. But if the environment variables are set properly before running
tauri build, the Tauri bundler will attempt to use AzureSignTool.To use AzureSignTool, the user must have an EV certificate hosted in Azure Key Vault.