Skip to content

added Windows code-signing of .exe file, removed codesigning of asset… #5

added Windows code-signing of .exe file, removed codesigning of asset…

added Windows code-signing of .exe file, removed codesigning of asset… #5

name: "publish"
on:
push:
branches:
- release-codesigned-testing
jobs:
publish-tauri:
permissions:
contents: write
strategy:
fail-fast: false
matrix:
platform: [windows-2019, macos-11, ubuntu-20.04]
env:
MACOSX_DEPLOYMENT_TARGET: 10.13
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v2
- name: setup node
uses: actions/setup-node@v1
with:
node-version: 16
- name: install Rust stable
uses: actions-rs/toolchain@v1
with:
override: true
toolchain: stable
- name: install Go stable
uses: actions/setup-go@v4
with:
go-version: 'stable'
- name: install app dependencies and info
run: npm install && npm run tauri info
- name: install dependencies (ubuntu only)
if: matrix.platform == 'ubuntu-20.04'
run: |
sudo apt-get update
sudo apt-get install -y libwebkit2gtk-4.0-dev libcanberra-gtk-module libcanberra-gtk3-module build-essential curl wget libssl-dev libgtk-3-dev squashfs-tools libgtksourceview-3.0-dev libappindicator3-dev patchelf librsvg2-dev ayatana-indicator-application
- name: generate dist folder
run: npm run dist
- name: build the app (macOS and Linux only)
if: matrix.platform == 'ubuntu-20.04' || matrix.platform == 'macos-11' # HELP remove this line if Windows code signing is NOT wanted
uses: tauri-apps/tauri-action@dev
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
with:
projectPath: src-tauri # specifying to prevent action from looking for artifacts in crates/hc_launch/src-tauri
tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
releaseName: "hc-stress-test v__VERSION__"
releaseBody: "See assets below to download and install this version."
releaseDraft: true
prerelease: true
args: --verbose
### Everything below this line is code signing for Windows via azure key vault, following these instructions:
### https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
### HELP Remove everything below if Windows code signing is NOT wanted.
- name: build and sign the app (Windows only)
if: matrix.platform == 'windows-2019'
run: |
npm run dist
npm run tauri -- build --verbose # building in verbose mode to get reasonable logging output in case of failure
dotnet tool install --global AzureSignTool
# replace-me -- HELP
# 1. replace all occurrences of [[GITHUB_REPO_NAME]] with the name you of your GitHub repository
# 2. replace all occurrences of [[productName]] with the productName field in tauri.conf.json
# 3. replace all occurrences of [[version]] with the version field in tauri.conf.json
# !! NOTE: The version field needs to be updated manually here with each new version of your app, otherwise the Windows build will fail.
# sign the .msi file
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi"
# sign the .exe file
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\nsis\hc-stress-test_0.0.2_x64_setup.exe"
# # Uncomment the lines below if you have the updater enabled
# # =========================================================
# # remove the .msi.zip and .msi.zip.sig files generated by tauri's build command as they are not code signed
# rm "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip"
# rm "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip.sig"
# # zip and sign the code signed .msi
# 7z a -mx=0 "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" "D:\a\holochain-kangaroo\holochain-kangaroo\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi"
# npm run tauri signer sign "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" -- -k ${{ secrets.TAURI_PRIVATE_KEY }} -p "${{ secrets.TAURI_KEY_PASSWORD }}"
# # =========================================================
# log hashes before and after code signing to verify that the uploaded assets are the right ones
CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi" SHA256
CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\nsis\hc-stress-test_0.0.2_x64_setup.exe" SHA256
# # Uncomment the lines below if you have the updater enabled
# CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip" SHA256
# CertUtil -hashfile "D:\a\holochain-kangaroo\holochain-kangaroo\src-tauri\target\release\bundle\msi\hc-stress-test_0.0.2_x64_en-US.msi.zip.sig" SHA256
env:
TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
- name: upload signed .msi, .exe, .msi.zip, .msi.zip.sig files to github release (Windows only)
uses: matthme/tauri-action-ev-signing@dist
if: matrix.platform == 'windows-2019'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
projectPath: src-tauri # specifying to prevent action from looking for artifacts in crates/hc_launch/src-tauri
tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
releaseName: "hc-stress-test v__VERSION__"
releaseBody: "See assets below to download and install this version."
releaseDraft: true
prerelease: true
args: --verbose