Windows 代码签名

Windows 上需要代码签名，以允许你的应用在 Microsoft Store 中列出，并防止从浏览器下载时出现 SmartScreen 警告，即你的应用不受信任且无法启动。

¥Code signing is required on Windows to allow your application to be listed in the Microsoft Store and to prevent a SmartScreen warning that your application is not trusted and can not be started, when downloaded from the browser.

只要你的终端用户可以忽略 SmartScreen 警告或你的用户不通过浏览器下载，则无需在 Windows 上执行你的应用。本指南涵盖通过 OV（组织验证）证书和 Azure Key Vault 进行签名。如果你使用此处未记录的任何其他签名机制，例如 EV（扩展验证）证书，请查看你的证书颁发者文档并参考 自定义签名命令 部分。

¥It is not required to execute your application on Windows, as long as your end user is okay with ignoring the SmartScreen warning or your user does not download via the browser. This guide covers signing via OV (Organization Validated) certificates and Azure Key Vault. If you use any other signing mechanism not documented here, such as EV (Extended Validation) certificates, check out your certificate issuer documentation and refer to the custom sign command section.

OV 证书

¥OV Certificates

:::danger 危险

本指南仅适用于 2023 年 6 月 1 日之前获得的 OV 代码签名证书！对于使用 EV 证书和该日期之后收到的 OV 证书进行代码签名，请查阅证书颁发者的文档。

¥This guide only applies to OV code signing certificates acquired before June 1st 2023! For code signing with EV certificates and OV certificates received after that date please consult the documentation of your certificate issuer instead.

:::

:::note 注意

如果你使用 EV 证书对应用进行签名，它将立即获得 Microsoft SmartScreen 的声誉，并且不会向用户显示任何警告。

¥If you sign the app with an EV Certificate, it’ll receive an immediate reputation with Microsoft SmartScreen and won’t show any warnings to users.

如果你选择 OV 证书（通常更便宜且可供个人使用），Microsoft SmartScreen 仍会在用户下载应用时向他们显示警告。你的证书可能需要一些时间才能建立足够的声誉。你可以选择将 提交你的应用 提交给 Microsoft 进行人工审核。虽然不能保证，但如果应用不包含任何恶意代码，Microsoft 可能会授予额外的声誉并可能删除该特定上传文件的警告。

¥If you opt for an OV Certificate, which is generally cheaper and available to individuals, Microsoft SmartScreen will still show a warning to users when they download the app. It might take some time until your certificate builds enough reputation. You may opt for submitting your app to Microsoft for manual review. Although not guaranteed, if the app does not contain any malicious code, Microsoft may grant additional reputation and potentially remove the warning for that specific uploaded file.

请参阅 comparison 以了解有关 OV 与 EV 证书的更多信息。

¥See the comparison to learn more about OV vs EV certificates.

:::

先决条件

¥Prerequisites

• Windows - 你可能可以使用其他平台，但本教程使用 Powershell 原生功能。

  ¥Windows - you can likely use other platforms, but this tutorial uses Powershell native features.

• 一个有效的 Tauri 应用

  ¥A working Tauri application

• 代码签名证书 - 你可以在 Microsoft 文档 中列出的服务上获取其中之一。非 EV 证书的权限可能比该列表中包含的要多，请自行比较并自行选择。

  ¥Code signing certificate - you can acquire one of these on services listed in Microsoft’s docs. There are likely additional authorities for non-EV certificates than included in that list, please compare them yourself and choose one at your own risk.

  • 请确保获取代码签名证书，SSL 证书不起作用！

    ¥Please make sure to get a code signing certificate, SSL certificates do not work!

入门

¥Getting Started

我们必须做一些事情才能让 Windows 为代码签名做好准备。这包括将我们的证书转换为特定格式、安装此证书以及从证书中解码所需信息。

¥There are a few things we have to do to get Windows prepared for code signing. This includes converting our certificate to a specific format, installing this certificate, and decoding the required information from the certificate.

1. Convert your .cer to .pfx

   • You will need the following:

     • certificate file (mine is cert.cer)
     • private key file (mine is private-key.key)

   • Open up a command prompt and change to your current directory using cd Documents/Certs

   • Convert your .cer to a .pfx using openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx

   • You should be prompted to enter an export password DON’T FORGET IT!

2. Import your .pfx file into the keystore.

   • We now need to import our .pfx file.

   • Assign your export password to a variable using $WINDOWS_PFX_PASSWORD = 'MYPASSWORD'

   • Now Import the certificate using Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $WINDOWS_PFX_PASSWORD -Force -AsPlainText)

3. Prepare Variables

   • Start ➡️ certmgr.msc to open Personal Certificate Management, then open Personal/Certificates.

   • Find the certificate we just imported and double-click on it, then click on the Details tab.

   • The Signature hash algorithm will be our digestAlgorithm. (Hint: this is likely sha256)

   • Scroll down to Thumbprint. There should be a value like A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0. This is our certificateThumbprint.

   • We also need a timestamp URL; this is a time server used to verify the time of the certificate signing. I’m using http://timestamp.comodoca.com, but whoever you got your certificate from likely has one as well.

准备 tauri.conf.json 文件

¥Prepare tauri.conf.json file

1. 现在我们有了 certificateThumbprint、digestAlgorithm 和 timestampUrl，我们将打开 tauri.conf.json。

   ¥Now that we have our certificateThumbprint, digestAlgorithm, & timestampUrl we will open up the tauri.conf.json.

2. 在 tauri.conf.json 中，你将查找 tauri -> bundle -> windows 部分。我们捕获的信息有三个变量。按如下所示填写。

   ¥In the tauri.conf.json you will look for the tauri -> bundle -> windows section. There are three variables for the information we have captured. Fill it out like below.

"windows": {
        "certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
        "digestAlgorithm": "sha256",
        "timestampUrl": "http://timestamp.comodoca.com"
}

3. 保存并运行 tauri build

   ¥Save and run tauri build

4. 在控制台输出中，你应该看到以下输出。

   ¥In the console output, you should see the following output.

info: signing app
info: running signtool "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.19041.0\\x64\\signtool.exe"
info: "Done Adding Additional Store\r\nSuccessfully signed: APPLICATION FILE PATH HERE

这表明你已成功签署 .exe。

¥Which shows you have successfully signed the .exe.

就是这样！你已成功设置 Tauri 应用以进行 Windows 签名。

¥And that’s it! You have successfully set up your Tauri application for Windows signing.

使用 GitHub Actions 签署你的应用。

¥Sign your application with GitHub Actions.

我们还可以创建一个工作流，使用 GitHub 操作对应用进行签名。

¥We can also create a workflow to sign the application with GitHub actions.

GitHub 秘密

¥GitHub Secrets

我们需要添加一些 GitHub 密钥以正确配置 GitHub Action。这些可以按你的意愿命名。

¥We need to add a few GitHub secrets for the proper configuration of the GitHub Action. These can be named however you would like.

• 你可以查看 加密密钥 指南，了解如何添加 GitHub 密钥。

  ¥You can view the encrypted secrets guide on how to add GitHub secrets.

我们使用的秘密如下

¥The secrets we used are as follows

GitHub 秘密	变量值
WINDOWS_CERTIFICATE	可以使用此命令 certutil -encode certificate.pfx base64cert.txt 完成 .pfx 证书的 Base64 编码版本
WINDOWS_CERTIFICATE_PASSWORD	创建证书 .pfx 时使用的证书导出密码

工作流程修改

¥Workflow Modifications

1. 我们需要在工作流中添加一个步骤以将证书导入 Windows 环境。此工作流程完成以下操作

   ¥We need to add a step in the workflow to import the certificate into the Windows environment. This workflow accomplishes the following

   1. 将 GitHub 密钥分配给环境变量

      ¥Assign GitHub secrets to environment variables

   2. 创建一个新的 certificate 目录

      ¥Create a new certificate directory

   3. 将 WINDOWS_CERTIFICATE 导入 tempCert.txt

      ¥Import WINDOWS_CERTIFICATE into tempCert.txt

   4. 使用 certutil 将 tempCert.txt 从 base64 解码为 .pfx 文件。

      ¥Use certutil to decode the tempCert.txt from base64 into a .pfx file.

   5. 删除 tempCert.txt

      ¥Remove tempCert.txt

   6. 将 .pfx 文件导入 Windows 的证书存储区并将 WINDOWS_CERTIFICATE_PASSWORD 转换为安全字符串以用于导入命令。

      ¥Import the .pfx file into the Cert store of Windows & convert the WINDOWS_CERTIFICATE_PASSWORD to a secure string to be used in the import command.

2. 我们将使用 tauri-action 发布模板。

   ¥We will be using the tauri-action publish template.

name: 'publish'
on:
  push:
    branches:
      - release

jobs:
  publish-tauri:
    strategy:
      fail-fast: false
      matrix:
        platform: [macos-latest, ubuntu-latest, windows-latest]

    runs-on: ${{ matrix.platform }}
    steps:
      - uses: actions/checkout@v2
      - name: setup node
        uses: actions/setup-node@v1
        with:
          node-version: 12
      - name: install Rust stable
        uses: actions-rs/toolchain@v1
        with:
          toolchain: stable
      - name: install webkit2gtk (ubuntu only)
        if: matrix.platform == 'ubuntu-latest'
        run: |
          sudo apt-get update
          sudo apt-get install -y webkit2gtk-4.0
      - name: install app dependencies and build it
        run: yarn && yarn build
      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tagName: app-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
          releaseName: 'App v__VERSION__'
          releaseBody: 'See the assets to download this version and install.'
          releaseDraft: true
          prerelease: false

3. 在 -name: install app dependencies and build it 正上方，你将需要添加以下步骤

   ¥Right above -name: install app dependencies and build it you will want to add the following step

- name: import windows certificate
  if: matrix.platform == 'windows-latest'
  env:
    WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
    WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
  run: |
    New-Item -ItemType directory -Path certificate
    Set-Content -Path certificate/tempCert.txt -Value $env:WINDOWS_CERTIFICATE
    certutil -decode certificate/tempCert.txt certificate/certificate.pfx
    Remove-Item -path certificate -include tempCert.txt
    Import-PfxCertificate -FilePath certificate/certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)

4. 保存并推送到你的存储库。

   ¥Save and push to your repo.

5. 你的工作流程现在可以导入你的 Windows 证书并将其导入 GitHub 运行器，从而实现自动代码签名！

   ¥Your workflow can now import your windows certificate and import it into the GitHub runner, allowing for automated code signing!

Azure Key Vault

你可以通过提供 Azure Key Vault 证书和凭据来签署 Windows 可执行文件。

¥You can sign the Windows executables by providing an Azure Key Vault certificate and credentials.

:::note 注意

本指南使用 relic，因为它支持基于秘密的身份验证，但你可以根据需要配置其他工具。要下载 relic，请检查其 发布页面 或运行 go install github.com/sassoftware/relic/v8@latest。

¥This guide uses relic due to its support to secret-based authentication, though you can configure alternative tools if you prefer. To download relic, check its releases page or run go install github.com/sassoftware/relic/v8@latest.

:::

1. Key Vault

在 Azure 门户 中，通过单击 “创建” 按钮导航到 密钥保管库服务 以创建新的密钥保管库。请记住 “Key Vault 名称”，因为你将需要该信息来配置证书 URL。

¥In the Azure Portal navigate to the Key vaults service to create a new key vault by clicking the “Create” button. Remember the “Key vault name” as you will need that information to configure the certificate URL.

2. 证书

   ¥Certificate

创建密钥保管库后，选择它并转到 “对象 > 证书” 页面以创建新证书，然后单击 “生成/导入” 按钮。请记住 “证书名称”，因为你将需要该信息来配置证书 URL。

¥After creating a key vault, select it and go to the “Objects > Certificates” page to create a new certificate and click the “Generate/Import” button. Remember the “Certificate name” as you will need that information to configure the certificate URL.

3. Tauri 配置

   ¥Tauri Configuration

relic 使用配置文件来确定应使用哪个签名密钥。对于 Azure Key Vault，你还需要证书 URL。在 src-tauri 文件夹中创建一个 relic.conf 文件并配置 relic 以使用你的证书：

¥relic uses a configuration file to determine which signing key it should use. For Azure Key Vault you also need the certificate URL. Create a relic.conf file in the src-tauri folder and configure relic to use your certificate:

src-tauri/relic.conf

tokens:
  azure:
    type: azure

keys:
  azure:
    token: azure
    id: https://\<KEY_VAULT_NAME\>.vault.azure.net/certificates/\<CERTIFICATE_NAME\>

请注意，你必须将 <KEY_VAULT_NAME> 和 <CERTIFICATE_NAME> 替换为前面步骤中的相应名称。

¥Note that you must replace <KEY_VAULT_NAME> and <CERTIFICATE_NAME> with the appropriate names from the previous steps.

要配置 Tauri 以使用你的 Azure Key Vault 配置进行签名，请更改 bundle > windows > signCommand 配置值：

¥To configure Tauri to use your Azure Key Vault configuration for signing change the bundle > windows > signCommand config value:

tauri.conf.json

{
  "bundle": {
    "windows": {
      "signCommand": "relic sign --file %1 --key azure --config relic.conf"
    }
  }
}

4. 凭据

   ¥Credentials

relic 必须通过 Azure 进行身份验证才能加载证书。在 Azure 门户登录页面中，转到 “Microsoft Entra ID” 服务并转到 “管理 > 应用注册” 页面。单击 “新注册” 以创建新应用。创建应用后，你将被重定向到应用详细信息页面，你可以在其中看到 “应用（客户端）ID” 和 “目录（租户）ID” 值。将这些 ID 分别设置为 AZURE_CLIENT_ID 和 AZURE_TENANT_ID 环境变量。

¥relic must authenticate with Azure in order to load the certificate. In the Azure portal landing page, go to the “Microsoft Entra ID” service and head to the “Manage > App registrations” page. Click “New registration” to create a new app. After creating the app, you are redirected to the application details page where you can see the “Application (client) ID” and “Directory (tenant) ID” values. Set these IDs to the AZURE_CLIENT_ID and AZURE_TENANT_ID environment variables respectively.

在 “管理 > 证书和密钥” 页面中，单击 “新客户端秘密” 按钮并将 “值” 列中的文本设置为 AZURE_CLIENT_SECRET 环境变量。

¥In the “Manage > Certificates & secrets” page click the “New client secret” button and set the text in the “Value” column as the AZURE_CLIENT_SECRET environment variable.

设置完所有凭据后，返回密钥保管库页面并导航到 “访问控制（IAM）” 页面。你必须为新创建的应用分配 “Key Vault 证书用户” 和 “Key Vault 加密用户” 角色。

¥After setting up all the credentials, head back to your key vault’s page and navigate to the “Access control (IAM)” page. You must assign the “Key Vault Certificate User” and “Key Vault Crypto User” roles to your newly created application.

设置完所有这些变量后，运行 tauri build 将生成签名的 Windows 安装程序！

¥After setting up all these variables, running tauri build will produce signed Windows installers!

自定义签名命令

¥Custom Sign Command

在上面的 Azure Key Vault 文档中，我们使用了强大的 Tauri Windows 签名配置来强制 Tauri CLI 使用特殊的 shell 命令来签署 Windows 安装程序可执行文件。bundle > windows > signCommand 配置选项可用于使用任何可以签署 Windows 可执行文件的 codesign 工具。

¥In the Azure Key Vault documentation above we used a powerful Tauri Windows signing configuration to force the Tauri CLI to use a special shell command to sign Windows installer executables. The bundle > windows > signCommand configuration option can be used to use any codesign tool that can sign Windows executables.

:::tip 提示

从 Linux 和 macOS 计算机交叉编译 Windows 安装程序时，你必须使用自定义签名命令，因为默认实现仅适用于 Windows 计算机。

¥When cross compiling Windows installers from Linux and macOS machines, you must use a custom sign command as the default implementation only works on Windows machines.

:::

Azure 代码签名

¥Azure Code Signing

你可以通过提供 Azure Code 签名证书和凭据来签署 Windows 可执行文件。如果你还没有 Azure 代码签名账户，你可以关注此 tutorial。

¥You can sign the Windows executables by providing an Azure Code signing certificate and credentials. If you don’t have an Azure Code signing Account yet you can follow this tutorial.

先决条件

¥Prerequisites

如果你想使用 Github Actions 签名，则应该安装所有内容。

¥If you want to sign with Github Actions everything should be installed.

1. 受信任的签名账户 和权限已配置

   ¥Trusted Signing Account and permissions configured

2. .NET（建议使用 .NET 6 或更高版本）

   ¥.NET (.NET 6 or later recommended)

3. Azure CLI

4. Signtool（建议使用 Windows 11 SDK 10.0.22000.0 或更高版本）

   ¥Signtool (Windows 11 SDK 10.0.22000.0 or later recommended)

入门

¥Getting Started

你需要安装 trusted-signing-cli 并配置环境变量。

¥You need to install trusted-signing-cli and configure your environment variables.

1. 安装 Trusted-signing-cli

   ¥Install trusted-signing-cli

   • cargo install trusted-signing-cli

2. 配置环境变量

   ¥Configure environment variables

   • trusted-signing-cli 需要设置以下环境变量，不要忘记将它们添加为 Github Actions secrets：

     ¥trusted-signing-cli needs the following environment variables to be set, don’t forget to add these as Github Actions secrets:

     • AZURE_CLIENT_ID：你的 应用注册 的客户端 ID

       ¥AZURE_CLIENT_ID: The client ID of your App Registration

     • AZURE_CLIENT_SECRET：应用注册 的客户端密钥

       ¥AZURE_CLIENT_SECRET: The client secret of App Registration

     • AZURE_TENANT_ID：Azure 目录的租户 ID，你也可以从 应用注册 获取此信息

       ¥AZURE_TENANT_ID: The tenant ID of your Azure directory, you can also get this from your App Registration

3. 修改你的 tauri.conf.json 文件

   ¥Modify your tauri.conf.json file

   • 你可以修改你的 tauri.conf.json，也可以为 Windows 创建特定的配置文件。用你自己的值替换 URL 和证书名称。

     ¥You can modify your tauri.conf.json or you can create a specific config file for Windows. Replace the URL and the certificate name with your own values.

     • -e：你的 Azure 代码签名账户的端点

       ¥-e: The endpoint of your Azure Code Signing account

     • -a：你的 Azure 代码签名账户的名称

       ¥-a: The name of your Azure Code Signing Account

     • -c：你的 Azure 代码签名账户内的证书配置文件的名称

       ¥-c: The name of your Certificate profile inside your Azure Code Signing Account

   tauri.conf.json

   {
     "bundle": {
       "windows": {
         "signCommand": "trusted-signing-cli -e https://wus2.codesigning.azure.net -a MyAccount -c MyProfile %1"
       }
     }
   }