#is code signing with the github tauri action possible for windows?

I have been down this rabbit hole for literally weeks trying to deploy our companies app...

after running the tauri action I have to run ssl.com code signer on the installers, then re zip them, then sign the zip file to allow the updater to work with the signature.

However, when i run the npm run tauri signer sign ... it produces a new signature that needs to be added to latest.json. It seems like I am just redoing everything the tauri action already did.

If anyone has successfully achieved signing and functioning auto updates with a windows app via github actions PLEASE share your workflow or at least the details of your implementation. This is all inside my github action workflow so testing is punishingly slow as I have to wait for each change to run on github servers...

yeah, using tauri-action in this context is indeed a bit of a waste of time here. You'll have to reupload all files anyway. I guess the only helpful thing here is that it tells you the paths of the build artifacts so you don't have to hardcode all of them.

The latest.json file is indeed tricky. ig you'll need a nodejs script or something that also simulates what tauri-action does

btw, are you using AzureSignTool or how are you signing the app? Just collecting info on what people use so to get the cli implementation right :)

For anyone else facing a similar issue here is my finished workflow (too long to put inline so file attached)

here's a breakdown of how it works

1. prepare-environment

• outputs some variables for use in the rest of the jobs

2. create-release

• creates a release (in a different repo) and outputs some details about that release like the release id for use in the rest of the jobs

3. build-tauri

• uses the tauri-apps/tauri-action@v0 to build the app.
• uses the ssl.com sslcom/esigner-codesign@develop action to sign the installer
• (optional) deletes useless files since tauri creates multiple installers (nsis and msi) and now the .exe is useless as the zip HAS to be used since it's the only one correctly signed
• rezips the now signed installer, moves the properly signed files into the release clobbering the old ones

4. sign-for-updater

• downloads the zip from the previous step and the latest.json
• signs the zip with the tauri update signer
• retrieves the signature and updates the latest.json
• moves the zip and latest.json back to the release clobbering the old ones

5. publish-release

• finalizes the release