added Windows code-signing of .exe file, removed codesigning of asset… #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "publish" | |
on: | |
push: | |
branches: | |
- release-codesigned-testing | |
jobs: | |
publish-tauri: | |
permissions: | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: [windows-2019, macos-11, ubuntu-20.04] | |
env: | |
MACOSX_DEPLOYMENT_TARGET: 10.13 | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- uses: actions/checkout@v2 | |
- name: setup node | |
uses: actions/setup-node@v1 | |
with: | |
node-version: 16 | |
- name: install Rust stable | |
uses: actions-rs/toolchain@v1 | |
with: | |
override: true | |
toolchain: stable | |
- name: install Go stable | |
uses: actions/setup-go@v4 | |
with: | |
go-version: 'stable' | |
- name: install app dependencies and info | |
run: npm install && npm run tauri info | |
- name: install dependencies (ubuntu only) | |
if: matrix.platform == 'ubuntu-20.04' | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libwebkit2gtk-4.0-dev libcanberra-gtk-module libcanberra-gtk3-module build-essential curl wget libssl-dev libgtk-3-dev squashfs-tools libgtksourceview-3.0-dev libappindicator3-dev patchelf librsvg2-dev ayatana-indicator-application | |
- name: generate dist folder | |
run: npm run dist | |
- name: build the app (macOS and Linux only) | |
if: matrix.platform == 'ubuntu-20.04' || matrix.platform == 'macos-11' # HELP remove this line if Windows code signing is NOT wanted | |
uses: tauri-apps/tauri-action@dev | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }} | |
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} | |
APPLE_ID: ${{ secrets.APPLE_ID }} | |
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | |
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
with: | |
projectPath: src-tauri # specifying to prevent action from looking for artifacts in crates/hc_launch/src-tauri | |
tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version | |
releaseName: "hc-stress-test v__VERSION__" | |
releaseBody: "See assets below to download and install this version." | |
releaseDraft: true | |
prerelease: true | |
args: --verbose | |
### Everything below this line is code signing for Windows via azure key vault, following these instructions: | |
### https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/ | |
### HELP Remove everything below if Windows code signing is NOT wanted. | |
- name: build and sign the app (Windows only) | |
if: matrix.platform == 'windows-2019' | |
run: | | |
npm run dist | |
npm run tauri -- build --verbose # building in verbose mode to get reasonable logging output in case of failure | |
dotnet tool install --global AzureSignTool | |
# replace-me -- HELP | |
# 1. replace all occurrences of [[GITHUB_REPO_NAME]] with the name you of your GitHub repository | |
# 2. replace all occurrences of [[productName]] with the productName field in tauri.conf.json | |
# 3. replace all occurrences of [[version]] with the version field in tauri.conf.json | |
# !! NOTE: The version field needs to be updated manually here with each new version of your app, otherwise the Windows build will fail. | |
# sign the .msi file | |
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi" | |
# sign the .exe file | |
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\nsis\hc-stress-test_0.0.2_x64_setup.exe" | |
# # Uncomment the lines below if you have the updater enabled | |
# # ========================================================= | |
# # remove the .msi.zip and .msi.zip.sig files generated by tauri's build command as they are not code signed | |
# rm "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" | |
# rm "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip.sig" | |
# # zip and sign the code signed .msi | |
# 7z a -mx=0 "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" "D:\a\holochain-kangaroo\holochain-kangaroo\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi" | |
# npm run tauri signer sign "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" -- -k ${{ secrets.TAURI_PRIVATE_KEY }} -p "${{ secrets.TAURI_KEY_PASSWORD }}" | |
# # ========================================================= | |
# log hashes before and after code signing to verify that the uploaded assets are the right ones | |
CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi" SHA256 | |
CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\nsis\hc-stress-test_0.0.2_x64_setup.exe" SHA256 | |
# # Uncomment the lines below if you have the updater enabled | |
# CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" SHA256 | |
# CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip.sig" SHA256 | |
env: | |
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} | |
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} | |
- name: upload signed .msi, .exe, .msi.zip, .msi.zip.sig files to github release (Windows only) | |
uses: matthme/tauri-action-ev-signing@dist | |
if: matrix.platform == 'windows-2019' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
projectPath: src-tauri # specifying to prevent action from looking for artifacts in crates/hc_launch/src-tauri | |
tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version | |
releaseName: "hc-stress-test v__VERSION__" | |
releaseBody: "See assets below to download and install this version." | |
releaseDraft: true | |
prerelease: true | |
args: --verbose |