Hey!
I've noticed the official action supports secrets to sign Windows apps similar to Mac apps, is it possible to do this without a self hosted runner / USB based EV / OV token?
#Is there a way to code-sign Windows apps using a GH hosted runner?
night merlin
spiral vigil
If your certificate issuer supports storing the cert in a cloud hsm then yes
here's a cool guide from a community member: https://merlingough.co.uk/posts/ev-sign-tauri-app
night merlin
Thank you!
vagrant roost
We faced some issues with EV signing following the guide. This is the final yml file that we used for github actions signing: https://github.com/phcode-dev/phoenix-desktop/blob/main/.github/workflows/tauri-build-prod.yml
The mac sign part is broken post 1.5, pending fix. But windows we use ev cert from GlobalSign vended via Azure.
night merlin
@vagrant roost mac signing works for us if you need an example
vagrant roost
We faced some issues with EV signing following the guide. This is the final yml ...
The main issue being, it was signing the installer(exe)/msi file. But not the actual executable inside the installer
As tauri installer generation scripts was using signtool instead of azuresigntool
vagrant roost
<@748510324176453717> mac signing works for us if you need an example
Awesome. Can you drop the link to the code base/action if its open? If private its fine.
night merlin
Since we use a universal app we had to upload it manually, the action doesn't recognize it by default for some reason
cc @spiral vigil, not sure if this is a known issue (re: not recognizing universal app artifacts and uploading them)
@vagrant roost note https://github.com/grafbase/pathfinder/blob/main/.github/workflows/ci.yml#L68 if you need a universal app and are building on x86_64. There's new M1 runners we still need to try out
(fixed the second link)
vagrant roost
got it. wouldnt tauri be able to cross compile for both platforms on intel macs as well? Though not execute it. If i remember, we build for both m1 and intel on the same intel runner
vagrant roost
cool. we were earlier building with tauri 1.4 which did some braking change to 1.5 for mac signatures.
so our sign workflows broke in mac in 1.5
vagrant roost
Yeah, you just need to have both toolchains installed
Did you see any size bumps with universal installer? it was close to 2x size for us
vs individual x86/arm
night merlin
That's normal, a universal app is basically two mac binaries for two platforms duct-taped together
So it'll be roughly twice the size
It's not really one "universal" format that can be executed by both processors natively so much as just a package that can execute the correct binary out of two bundled binaries depending on the current platform
A universal binary runs natively on both Apple silicon and Intel-based Mac computers, because it contains executable code for both architectures.
vagrant roost
Cool. The universal app is convenient though.
spiral vigil
cc <@195491839741132800>, not sure if this is a known issue (re: not recognizing...
when did you last try it? Since 0.4 the action should be able to upload it as long as you use the args prop (like you do). And would you by any chance have logs from that run?