playbooks

home / skills / dchuk / claude-code-tauri-skills / tauri-code-signing

tauri-code-signing skill

/tauri/tauri-code-signing

This skill guides you through code signing and notarization for Tauri apps across Android, iOS, Linux, macOS, and Windows.

npx playbooks add skill dchuk/claude-code-tauri-skills --skill tauri-code-signing

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
11.1 KB
---
name: signing-tauri-apps
description: Guides the user through Tauri application code signing and notarization for Android, iOS, Linux, macOS, and Windows platforms including certificate setup and configuration.
---

# Tauri Code Signing Skill

This skill provides comprehensive guidance for code signing Tauri applications across all supported platforms.

## Platform Overview

| Platform | Requirement | Certificate Type |
|----------|-------------|------------------|
| Android | Required for Play Store | Java Keystore (JKS) |
| iOS | Required for distribution | Apple Developer Certificate |
| Linux | Optional (enhances trust) | GPG Key |
| macOS | Required for distribution | Developer ID / Apple Distribution |
| Windows | Required (SmartScreen) | OV or EV Certificate |

---

## Android Signing

### Generate Keystore

**macOS/Linux:**
```bash
keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload
```

**Windows:**
```powershell
keytool -genkey -v -keystore $env:USERPROFILE\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload
```

### Configuration File

Create `src-tauri/gen/android/keystore.properties`:

```properties
password=<your-password>
keyAlias=upload
storeFile=/path/to/upload-keystore.jks
```

**IMPORTANT:** Never commit `keystore.properties` to version control.

### Gradle Configuration

Modify `src-tauri/gen/android/app/build.gradle.kts`:

```kotlin
import java.io.FileInputStream

// Add before android { } block
val keystorePropertiesFile = rootProject.file("keystore.properties")
val keystoreProperties = java.util.Properties()
if (keystorePropertiesFile.exists()) {
    keystoreProperties.load(FileInputStream(keystorePropertiesFile))
}

android {
    // ... existing config ...

    signingConfigs {
        create("release") {
            keyAlias = keystoreProperties["keyAlias"] as String
            keyPassword = keystoreProperties["password"] as String
            storeFile = file(keystoreProperties["storeFile"] as String)
            storePassword = keystoreProperties["password"] as String
        }
    }

    buildTypes {
        release {
            signingConfig = signingConfigs.getByName("release")
            // ... other release config ...
        }
    }
}
```

### CI/CD Environment Variables

| Variable | Description |
|----------|-------------|
| `ANDROID_KEY_ALIAS` | Key alias (e.g., `upload`) |
| `ANDROID_KEY_PASSWORD` | Keystore password |
| `ANDROID_KEY_BASE64` | Base64-encoded keystore file |

**GitHub Actions Example:**

```yaml
- name: Setup Android signing
  run: |
    cd src-tauri/gen/android
    echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
    echo "password=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
    base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
    echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties
```

---

## iOS Signing

### Prerequisites

- Apple Developer Program enrollment ($99/year)
- Bundle identifier registered in App Store Connect
- iOS code signing certificate
- Mobile provisioning profile

### Automatic Signing (Recommended)

For local development, authenticate through Xcode Settings > Accounts.

For CI/CD, create an App Store Connect API key and set:

| Variable | Description |
|----------|-------------|
| `APPLE_API_ISSUER` | Issuer ID from App Store Connect |
| `APPLE_API_KEY` | Key ID from App Store Connect |
| `APPLE_API_KEY_PATH` | Path to the `.p8` private key file |

### Manual Signing

| Variable | Description |
|----------|-------------|
| `IOS_CERTIFICATE` | Base64-encoded `.p12` certificate |
| `IOS_CERTIFICATE_PASSWORD` | Password used when exporting certificate |
| `IOS_MOBILE_PROVISION` | Base64-encoded provisioning profile |

### Certificate Types by Distribution Method

| Distribution | Certificate Type |
|--------------|------------------|
| Debugging | Apple Development or iOS App Development |
| App Store | Apple Distribution or iOS Distribution |
| Ad Hoc | Apple Distribution or iOS Distribution |

### Export Certificate

1. Open Keychain Access
2. Find your certificate
3. Right-click the private key
4. Select "Export" and save as `.p12`
5. Convert to base64: `base64 -i certificate.p12`

### Create Provisioning Profile

1. Register App ID with matching bundle identifier
2. Create provisioning profile for your distribution method
3. Link certificate to profile
4. Download and convert: `base64 -i profile.mobileprovision`

---

## Linux Signing (AppImage)

### Generate GPG Key

```bash
gpg2 --full-gen-key
```

Back up the key securely.

### Environment Variables

| Variable | Description |
|----------|-------------|
| `SIGN` | Set to `1` to enable signing |
| `SIGN_KEY` | GPG Key ID (optional, uses default if not set) |
| `APPIMAGETOOL_SIGN_PASSPHRASE` | Key password (required for CI/CD) |
| `APPIMAGETOOL_FORCE_SIGN` | Set to `1` to fail build on signing error |

### Build with Signing

```bash
SIGN=1 APPIMAGETOOL_SIGN_PASSPHRASE="your-passphrase" npm run tauri build
```

### View Embedded Signature

```bash
./src-tauri/target/release/bundle/appimage/app_version_amd64.AppImage --appimage-signature
```

### Validate Signature

Download the validate tool from [AppImageUpdate releases](https://github.com/AppImageCommunity/AppImageUpdate/releases):

```bash
chmod +x validate-x86_64.AppImage
./validate-x86_64.AppImage your-app.AppImage
```

**Note:** AppImage does not auto-validate signatures. Users must manually verify.

---

## macOS Signing and Notarization

### Prerequisites

- Apple Developer Program enrollment ($99/year)
- Mac computer for code signing
- Free accounts cannot notarize applications

### Certificate Types

| Certificate | Use Case |
|-------------|----------|
| Apple Distribution | App Store submissions |
| Developer ID Application | Distribution outside App Store |

### Create Certificate

1. Generate Certificate Signing Request (CSR) from Keychain Access
2. Upload CSR at Apple Developer > Certificates, IDs & Profiles
3. Download and double-click `.cer` to install

### Configuration

**tauri.conf.json:**

```json
{
  "bundle": {
    "macOS": {
      "signingIdentity": "Developer ID Application: Your Name (TEAM_ID)"
    }
  }
}
```

### Environment Variables for CI/CD

**Certificate Variables:**

| Variable | Description |
|----------|-------------|
| `APPLE_CERTIFICATE` | Base64-encoded `.p12` certificate |
| `APPLE_CERTIFICATE_PASSWORD` | Password for exported certificate |
| `APPLE_SIGNING_IDENTITY` | Certificate name in keychain |

**Notarization - Option 1: App Store Connect API (Recommended):**

| Variable | Description |
|----------|-------------|
| `APPLE_API_ISSUER` | Issuer ID |
| `APPLE_API_KEY` | Key ID |
| `APPLE_API_KEY_PATH` | Path to `.p8` private key |

**Notarization - Option 2: Apple ID:**

| Variable | Description |
|----------|-------------|
| `APPLE_ID` | Apple ID email |
| `APPLE_PASSWORD` | App-specific password |
| `APPLE_TEAM_ID` | Team identifier |

### Export Certificate for CI/CD

```bash
# Export from Keychain as .p12, then:
base64 -i certificate.p12 | pbcopy
```

### Ad-Hoc Signing (Testing Only)

For unsigned distribution or testing without Apple credentials:

```json
{
  "bundle": {
    "macOS": {
      "signingIdentity": "-"
    }
  }
}
```

### GitHub Actions Example

```yaml
- name: Import certificate
  env:
    APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
    APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
  run: |
    echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
    security create-keychain -p actions temp.keychain
    security import certificate.p12 -k temp.keychain -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign
    security list-keychains -s temp.keychain
    security unlock-keychain -p actions temp.keychain
    security set-key-partition-list -S apple-tool:,apple: -s -k actions temp.keychain
```

---

## Windows Signing

### Certificate Types

| Type | SmartScreen | Availability |
|------|-------------|--------------|
| OV (Organization Validated) | Builds reputation over time | Before June 1, 2023 |
| EV (Extended Validation) | Immediate trust | Required after June 1, 2023 |

**Note:** Certificates obtained after June 1, 2023 require EV certificates for immediate SmartScreen trust.

### Configuration

**tauri.conf.json:**

```json
{
  "bundle": {
    "windows": {
      "certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
      "digestAlgorithm": "sha256",
      "timestampUrl": "http://timestamp.sectigo.com"
    }
  }
}
```

### Find Certificate Thumbprint

1. Open certificate details
2. Go to Details tab
3. Find "Thumbprint" field
4. Copy the hex string (remove spaces)

### Common Timestamp URLs

- `http://timestamp.sectigo.com`
- `http://timestamp.digicert.com`
- `http://timestamp.globalsign.com`

### Convert Certificate to PFX

```bash
openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx
```

### Environment Variables for CI/CD

| Variable | Description |
|----------|-------------|
| `WINDOWS_CERTIFICATE` | Base64-encoded `.pfx` file |
| `WINDOWS_CERTIFICATE_PASSWORD` | PFX export password |

### GitHub Actions Example

```yaml
- name: Import Windows certificate
  env:
    WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
    WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
  run: |
    echo "$WINDOWS_CERTIFICATE" | base64 --decode > certificate.pfx
    Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force)
  shell: pwsh
```

### Azure Key Vault Signing

For cloud-based signing with Azure Key Vault:

| Variable | Description |
|----------|-------------|
| `AZURE_CLIENT_ID` | Azure AD application client ID |
| `AZURE_CLIENT_SECRET` | Azure AD application secret |
| `AZURE_TENANT_ID` | Azure AD tenant ID |

Configure in `tauri.conf.json`:

```json
{
  "bundle": {
    "windows": {
      "signCommand": "relic sign --key azurekeyvault --file %1"
    }
  }
}
```

### Azure Trusted Signing

For Azure Code Signing service:

```json
{
  "bundle": {
    "windows": {
      "signCommand": "trusted-signing-cli -e <endpoint> -a <account> -c <profile> %1"
    }
  }
}
```

### Custom Sign Command

For other signing tools or cross-platform builds:

```json
{
  "bundle": {
    "windows": {
      "signCommand": "your-signing-tool --sign %1"
    }
  }
}
```

The `%1` placeholder is replaced with the executable path.

---

## Quick Reference: All Environment Variables

### Android
- `ANDROID_KEY_ALIAS`
- `ANDROID_KEY_PASSWORD`
- `ANDROID_KEY_BASE64`

### iOS (Manual)
- `IOS_CERTIFICATE`
- `IOS_CERTIFICATE_PASSWORD`
- `IOS_MOBILE_PROVISION`

### iOS/macOS (API Key)
- `APPLE_API_ISSUER`
- `APPLE_API_KEY`
- `APPLE_API_KEY_PATH`

### macOS (Certificate)
- `APPLE_CERTIFICATE`
- `APPLE_CERTIFICATE_PASSWORD`
- `APPLE_SIGNING_IDENTITY`

### macOS (Apple ID Notarization)
- `APPLE_ID`
- `APPLE_PASSWORD`
- `APPLE_TEAM_ID`

### Linux
- `SIGN`
- `SIGN_KEY`
- `APPIMAGETOOL_SIGN_PASSPHRASE`
- `APPIMAGETOOL_FORCE_SIGN`

### Windows
- `WINDOWS_CERTIFICATE`
- `WINDOWS_CERTIFICATE_PASSWORD`

### Azure (Windows)
- `AZURE_CLIENT_ID`
- `AZURE_CLIENT_SECRET`
- `AZURE_TENANT_ID`

Overview

This skill guides you step-by-step through code signing and notarization for Tauri v2 apps on Android, iOS, Linux, macOS, and Windows. It explains certificate types, local and CI/CD certificate handling, and configuration snippets for tauri.conf.json and build pipelines. The focus is practical: create keys, prepare build configs, and automate signing in CI.

How this skill works

The skill inspects platform-specific signing requirements and provides commands and configuration examples to generate, export, and use certificates or keys. It maps required environment variables to CI/CD workflows, shows how to embed signing steps into Gradle, GitHub Actions, or PowerShell, and covers notarization and signature validation for macOS and AppImage. It also explains optional and mandatory steps per distribution channel.

When to use it

  • Preparing release builds for app stores (Google Play, App Store)
  • Automating signing and notarization in CI/CD pipelines
  • Distributing signed desktop packages on macOS, Windows, and Linux
  • Testing signed builds locally before publishing
  • Integrating cloud-based signing (Azure Key Vault, Trusted Signing)

Best practices

  • Never commit private keys, keystore.properties, or base64-encoded certificates to version control; use secrets management.
  • Use App Store Connect API keys for automated macOS/iOS notarization rather than interactive Apple ID when possible.
  • Store certificates encrypted as CI secrets and decode them during the build pipeline, then import into a temporary keychain or certificate store.
  • Use EV certificates for Windows to ensure immediate SmartScreen reputation when required.
  • Keep signing configuration centralized in tauri.conf.json and reference environment variables for secrets.

Example use cases

  • Generate a Java Keystore locally and wire keystore.properties into Gradle for Android release builds.
  • Export an iOS .p12 and provisioning profile to base64 secrets and configure CI to import them for App Store uploads.
  • Create a GPG key and enable SIGN=1 to produce and validate signed AppImage artifacts for Linux distributions.
  • Import a .pfx in a Windows runner and set certificateThumbprint in tauri.conf.json to sign installers and satisfy SmartScreen.
  • Configure Azure Key Vault or a custom signCommand in tauri.conf.json to offload private key management and sign Windows binaries in CI.

FAQ

Do I need a paid developer account to sign macOS or iOS apps?

Yes. Apple Developer Program enrollment is required for distribution and notarization; free accounts cannot notarize apps for wide distribution.

How should I store certificate files for CI?

Export certificates to .p12 or .pfx, base64-encode them, store as CI secrets, decode into a temporary file during the job, import into keychain or cert store, then remove artifacts.