versed bison
Hey team
We ware wanting to get an EV cert for windows to sign our Tauri app.
We have GitHub Actions for our CI/CD.
We are looking at getting a cert from globalsign (https://shop.globalsign.com/en/code-signing)
Now my question here is, Do we need the Token Implementation or the HSM Implementation?
This is the first time I have ever done any windows signing, so I am not sure what one I need to choose
undone sluice
For use in CI i'm pretty sure it's HSM. "Token" usually means a physical usb stick and using that in CI is an absolute pain, borderline impossible.
versed bison
How accurate would this AI response be? @undone sluice
undone sluice
doesn't work for EV certs
versed bison
ah ok, so has to be HSM, so next question. what do I need for that?
I got to the website, I hit buy. Do I need any other infrastructure?
undone sluice
doesn't work for EV certs
or with the new OV cert requirements (they also require a usb stick now) probably not for OV either
undone sluice
I got to the website, I hit buy. Do I need any other infrastructure?
i never used an ev cert myself but afaik this depends on the provider. I think some just give you the certificate to import into an external HSM (like azure) yourself and some host it for you.
undone sluice
yep
versed bison
ok cool. I will setup an azure HSM and then buy the cert
thanks for the help @undone sluice
versed bison
I got my cert now and have it setup in Azure, now I am just setting up the GitHub Actions pipeline with the docs here https://v2.tauri.app/distribute/sign/windows/
versed bison
when doing this step https://v2.tauri.app/distribute/sign/windows/#azure-key-vault do we only need the signCommand or do we also need certificateThumbprint, digestAlgorithm and timestampUrl ?
Because I am currently running into the error when trying to run this locally
failed to bundle project: `program not found`
Error failed to bundle project: `program not found````
ah I dont have go or relic installed. I assumed it came with tauri, my mistake
versed bison
hmm, now I am getting this
if I was to manually run it to test it, would it be this command?
relic sign --file C:\Users\...\src-tauri\target\release\MyApp.exe --key azure --config relic.conf
oh it looks like its not picking up the .env file, is that correct?
When I manually do set "AZURE_CLIENT_ID=.... && npm run tauri dev it seems to work
So its all seems to be working, but I get this one error and I cant work out why. do you have any thoughts @undone sluice ?
Also there is a typo on the docs, AZURE_VAULT_ID should be AZURE_CLIENT_ID
undone sluice
So its all seems to be working, but I get this one error and I cant work out why...
does it work with an absolute path? sounds like the cwd is different than you expect.
versed bison
does it work with an absolute path? sounds like the cwd is different than you ex...
So the strnage thing is that everything seems to be signed, the raw exe, the installer exe the installer msi and the updater files in the zip folder. So this error message is really confusing me