signing-tauri-apps

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Tauri Code Signing Skill

Tauri代码签名技能

This skill provides comprehensive guidance for code signing Tauri applications across all supported platforms.

本技能为所有支持平台的Tauri应用代码签名提供全面指导。

Platform Overview

平台概览

Platform	Requirement	Certificate Type
Android	Required for Play Store	Java Keystore (JKS)
iOS	Required for distribution	Apple Developer Certificate
Linux	Optional (enhances trust)	GPG Key
macOS	Required for distribution	Developer ID / Apple Distribution
Windows	Required (SmartScreen)	OV or EV Certificate

平台	要求	证书类型
Android	发布至应用商店必需	Java Keystore (JKS)
iOS	分发必需	Apple Developer Certificate
Linux	可选（提升信任度）	GPG Key
macOS	分发必需	Developer ID / Apple Distribution
Windows	必需（通过SmartScreen验证）	OV或EV证书

Android Signing

Android签名

Generate Keystore

生成密钥库

macOS/Linux:

bash

keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload

Windows:

powershell

keytool -genkey -v -keystore $env:USERPROFILE\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload

macOS/Linux:

bash

keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload

Windows:

powershell

keytool -genkey -v -keystore $env:USERPROFILE\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload

Configuration File

配置文件

Create

src-tauri/gen/android/keystore.properties

properties

password=<your-password>
keyAlias=upload
storeFile=/path/to/upload-keystore.jks

IMPORTANT: Never commit

keystore.properties

to version control.

创建

src-tauri/gen/android/keystore.properties

properties

password=<your-password>
keyAlias=upload
storeFile=/path/to/upload-keystore.jks

重要提示： 请勿将

keystore.properties

提交到版本控制系统。

Gradle Configuration

Gradle配置

Modify

src-tauri/gen/android/app/build.gradle.kts

kotlin

import java.io.FileInputStream

// Add before android { } block
val keystorePropertiesFile = rootProject.file("keystore.properties")
val keystoreProperties = java.util.Properties()
if (keystorePropertiesFile.exists()) {
    keystoreProperties.load(FileInputStream(keystorePropertiesFile))
}

android {
    // ... existing config ...

    signingConfigs {
        create("release") {
            keyAlias = keystoreProperties["keyAlias"] as String
            keyPassword = keystoreProperties["password"] as String
            storeFile = file(keystoreProperties["storeFile"] as String)
            storePassword = keystoreProperties["password"] as String
        }
    }

    buildTypes {
        release {
            signingConfig = signingConfigs.getByName("release")
            // ... other release config ...
        }
    }
}

修改

src-tauri/gen/android/app/build.gradle.kts

kotlin

import java.io.FileInputStream

// 在android { }块之前添加
val keystorePropertiesFile = rootProject.file("keystore.properties")
val keystoreProperties = java.util.Properties()
if (keystorePropertiesFile.exists()) {
    keystoreProperties.load(FileInputStream(keystorePropertiesFile))
}

android {
    // ... 现有配置 ...

    signingConfigs {
        create("release") {
            keyAlias = keystoreProperties["keyAlias"] as String
            keyPassword = keystoreProperties["password"] as String
            storeFile = file(keystoreProperties["storeFile"] as String)
            storePassword = keystoreProperties["password"] as String
        }
    }

    buildTypes {
        release {
            signingConfig = signingConfigs.getByName("release")
            // ... 其他发布配置 ...
        }
    }
}

CI/CD Environment Variables

CI/CD环境变量

Variable	Description
`ANDROID_KEY_ALIAS`	Key alias (e.g., `upload` )
`ANDROID_KEY_PASSWORD`	Keystore password
`ANDROID_KEY_BASE64`	Base64-encoded keystore file

GitHub Actions Example:

yaml

- name: Setup Android signing
  run: |
    cd src-tauri/gen/android
    echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
    echo "password=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
    base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
    echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties

变量	描述
`ANDROID_KEY_ALIAS`	密钥别名（例如： `upload` ）
`ANDROID_KEY_PASSWORD`	密钥库密码
`ANDROID_KEY_BASE64`	Base64编码的密钥库文件

GitHub Actions示例:

yaml

- name: Setup Android signing
  run: |
    cd src-tauri/gen/android
    echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
    echo "password=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
    base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
    echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties

iOS Signing

iOS签名

Prerequisites

前提条件

Apple Developer Program enrollment ($99/year)
Bundle identifier registered in App Store Connect
iOS code signing certificate
Mobile provisioning profile

已加入Apple Developer Program（年费99美元）
已在App Store Connect中注册Bundle标识符
iOS代码签名证书
移动设备配置文件

Automatic Signing (Recommended)

自动签名（推荐）

For local development, authenticate through Xcode Settings > Accounts.

For CI/CD, create an App Store Connect API key and set:

Variable	Description
`APPLE_API_ISSUER`	Issuer ID from App Store Connect
`APPLE_API_KEY`	Key ID from App Store Connect
`APPLE_API_KEY_PATH`	Path to the `.p8` private key file

本地开发时，通过Xcode设置 > 账户进行身份验证。

CI/CD环境下，创建App Store Connect API密钥并设置以下变量：

变量	描述
`APPLE_API_ISSUER`	App Store Connect中的颁发者ID
`APPLE_API_KEY`	App Store Connect中的密钥ID
`APPLE_API_KEY_PATH`	`.p8` 私钥文件的路径

Manual Signing

手动签名

Variable	Description
`IOS_CERTIFICATE`	Base64-encoded `.p12` certificate
`IOS_CERTIFICATE_PASSWORD`	Password used when exporting certificate
`IOS_MOBILE_PROVISION`	Base64-encoded provisioning profile

变量	描述
`IOS_CERTIFICATE`	Base64编码的 `.p12` 证书
`IOS_CERTIFICATE_PASSWORD`	导出证书时使用的密码
`IOS_MOBILE_PROVISION`	Base64编码的配置文件

Certificate Types by Distribution Method

按分发方式分类的证书类型

Distribution	Certificate Type
Debugging	Apple Development or iOS App Development
App Store	Apple Distribution or iOS Distribution
Ad Hoc	Apple Distribution or iOS Distribution

分发方式	证书类型
调试	Apple Development或iOS App Development
App Store	Apple Distribution或iOS Distribution
临时分发	Apple Distribution或iOS Distribution

Export Certificate

导出证书

Open Keychain Access
Find your certificate
Right-click the private key
Select "Export" and save as
```
.p12
```
Convert to base64:
```
base64 -i certificate.p12
```

打开钥匙串访问
找到你的证书
右键点击私钥
选择“导出”并保存为
```
.p12
```
格式
转换为Base64：
```
base64 -i certificate.p12
```

Create Provisioning Profile

创建配置文件

Register App ID with matching bundle identifier
Create provisioning profile for your distribution method
Link certificate to profile
Download and convert:
```
base64 -i profile.mobileprovision
```

注册与Bundle标识符匹配的App ID
为你的分发方式创建配置文件
将证书关联到配置文件
下载并转换为Base64：
```
base64 -i profile.mobileprovision
```

Linux Signing (AppImage)

Linux签名（AppImage）

Generate GPG Key

生成GPG密钥

bash

gpg2 --full-gen-key

Back up the key securely.

bash

gpg2 --full-gen-key

请安全备份密钥。

Environment Variables

环境变量

Variable	Description
`SIGN`	Set to `1` to enable signing
`SIGN_KEY`	GPG Key ID (optional, uses default if not set)
`APPIMAGETOOL_SIGN_PASSPHRASE`	Key password (required for CI/CD)
`APPIMAGETOOL_FORCE_SIGN`	Set to `1` to fail build on signing error

变量	描述
`SIGN`	设置为 `1` 以启用签名
`SIGN_KEY`	GPG密钥ID（可选，未设置则使用默认密钥）
`APPIMAGETOOL_SIGN_PASSPHRASE`	密钥密码（CI/CD环境必需）
`APPIMAGETOOL_FORCE_SIGN`	设置为 `1` 以在签名失败时终止构建

Build with Signing

带签名的构建

bash

SIGN=1 APPIMAGETOOL_SIGN_PASSPHRASE="your-passphrase" npm run tauri build

bash

SIGN=1 APPIMAGETOOL_SIGN_PASSPHRASE="your-passphrase" npm run tauri build

View Embedded Signature

查看嵌入式签名

bash

./src-tauri/target/release/bundle/appimage/app_version_amd64.AppImage --appimage-signature

bash

./src-tauri/target/release/bundle/appimage/app_version_amd64.AppImage --appimage-signature

Validate Signature

验证签名

Download the validate tool from AppImageUpdate releases:

bash

chmod +x validate-x86_64.AppImage
./validate-x86_64.AppImage your-app.AppImage

Note: AppImage does not auto-validate signatures. Users must manually verify.

从AppImageUpdate发布页下载验证工具：

bash

chmod +x validate-x86_64.AppImage
./validate-x86_64.AppImage your-app.AppImage

注意： AppImage不会自动验证签名，用户必须手动验证。

macOS Signing and Notarization

macOS签名与公证

Prerequisites

前提条件

Apple Developer Program enrollment ($99/year)
Mac computer for code signing
Free accounts cannot notarize applications

已加入Apple Developer Program（年费99美元）
使用Mac电脑进行代码签名
免费账户无法对应用进行公证

Certificate Types

证书类型

Certificate	Use Case
Apple Distribution	App Store submissions
Developer ID Application	Distribution outside App Store

证书	使用场景
Apple Distribution	提交至App Store
Developer ID Application	App Store外分发

Create Certificate

创建证书

Generate Certificate Signing Request (CSR) from Keychain Access
Upload CSR at Apple Developer > Certificates, IDs & Profiles
Download and double-click
```
.cer
```
to install

从钥匙串访问生成证书签名请求（CSR）
在Apple Developer > 证书、ID与配置文件中上传CSR
下载并双击
```
.cer
```
文件进行安装

Configuration

配置

tauri.conf.json:

json

{
  "bundle": {
    "macOS": {
      "signingIdentity": "Developer ID Application: Your Name (TEAM_ID)"
    }
  }
}

tauri.conf.json:

json

{
  "bundle": {
    "macOS": {
      "signingIdentity": "Developer ID Application: Your Name (TEAM_ID)"
    }
  }
}

Environment Variables for CI/CD

CI/CD环境变量

Certificate Variables:

Variable	Description
`APPLE_CERTIFICATE`	Base64-encoded `.p12` certificate
`APPLE_CERTIFICATE_PASSWORD`	Password for exported certificate
`APPLE_SIGNING_IDENTITY`	Certificate name in keychain

Notarization - Option 1: App Store Connect API (Recommended):

Variable	Description
`APPLE_API_ISSUER`	Issuer ID
`APPLE_API_KEY`	Key ID
`APPLE_API_KEY_PATH`	Path to `.p8` private key

Notarization - Option 2: Apple ID:

Variable	Description
`APPLE_ID`	Apple ID email
`APPLE_PASSWORD`	App-specific password
`APPLE_TEAM_ID`	Team identifier

证书相关变量:

变量	描述
`APPLE_CERTIFICATE`	Base64编码的 `.p12` 证书
`APPLE_CERTIFICATE_PASSWORD`	导出证书时的密码
`APPLE_SIGNING_IDENTITY`	钥匙串中的证书名称

公证 - 选项1：App Store Connect API（推荐）:

变量	描述
`APPLE_API_ISSUER`	颁发者ID
`APPLE_API_KEY`	密钥ID
`APPLE_API_KEY_PATH`	`.p8` 私钥文件的路径

公证 - 选项2：Apple ID:

变量	描述
`APPLE_ID`	Apple ID邮箱
`APPLE_PASSWORD`	应用专用密码
`APPLE_TEAM_ID`	团队标识符

Export Certificate for CI/CD

为CI/CD导出证书

bash

undefined

bash

undefined

Export from Keychain as .p12, then:

从钥匙串导出为.p12格式后执行：

base64 -i certificate.p12 | pbcopy

undefined

base64 -i certificate.p12 | pbcopy

undefined

Ad-Hoc Signing (Testing Only)

临时签名（仅测试用）

For unsigned distribution or testing without Apple credentials:

json

{
  "bundle": {
    "macOS": {
      "signingIdentity": "-"
    }
  }
}

无签名分发或无Apple凭据测试时使用：

json

{
  "bundle": {
    "macOS": {
      "signingIdentity": "-"
    }
  }
}

GitHub Actions Example

GitHub Actions示例

yaml

- name: Import certificate
  env:
    APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
    APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
  run: |
    echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
    security create-keychain -p actions temp.keychain
    security import certificate.p12 -k temp.keychain -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign
    security list-keychains -s temp.keychain
    security unlock-keychain -p actions temp.keychain
    security set-key-partition-list -S apple-tool:,apple: -s -k actions temp.keychain

yaml

- name: Import certificate
  env:
    APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
    APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
  run: |
    echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
    security create-keychain -p actions temp.keychain
    security import certificate.p12 -k temp.keychain -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign
    security list-keychains -s temp.keychain
    security unlock-keychain -p actions temp.keychain
    security set-key-partition-list -S apple-tool:,apple: -s -k actions temp.keychain

Windows Signing

Windows签名

Certificate Types

证书类型

Type	SmartScreen	Availability
OV (Organization Validated)	Builds reputation over time	Before June 1, 2023
EV (Extended Validation)	Immediate trust	Required after June 1, 2023

Note: Certificates obtained after June 1, 2023 require EV certificates for immediate SmartScreen trust.

类型	SmartScreen信任度	可用性
OV（组织验证）	逐步建立信任度	2023年6月1日前可获取
EV（扩展验证）	即时信任	2023年6月1日后必需

注意： 2023年6月1日后获取的证书需使用EV证书才能获得即时SmartScreen信任。

Configuration

配置

tauri.conf.json:

json

{
  "bundle": {
    "windows": {
      "certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
      "digestAlgorithm": "sha256",
      "timestampUrl": "http://timestamp.sectigo.com"
    }
  }
}

tauri.conf.json:

json

{
  "bundle": {
    "windows": {
      "certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
      "digestAlgorithm": "sha256",
      "timestampUrl": "http://timestamp.sectigo.com"
    }
  }
}

Find Certificate Thumbprint

查找证书指纹

Open certificate details
Go to Details tab
Find "Thumbprint" field
Copy the hex string (remove spaces)

打开证书详情
切换到“详细信息”标签页
找到“指纹”字段
复制十六进制字符串（移除空格）

Common Timestamp URLs

常用时间戳URL

```
http://timestamp.sectigo.com
```
```
http://timestamp.digicert.com
```
```
http://timestamp.globalsign.com
```

```
http://timestamp.sectigo.com
```
```
http://timestamp.digicert.com
```
```
http://timestamp.globalsign.com
```

Convert Certificate to PFX

将证书转换为PFX格式

bash

openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx

bash

openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx

Environment Variables for CI/CD

CI/CD环境变量

Variable	Description
`WINDOWS_CERTIFICATE`	Base64-encoded `.pfx` file
`WINDOWS_CERTIFICATE_PASSWORD`	PFX export password

变量	描述
`WINDOWS_CERTIFICATE`	Base64编码的 `.pfx` 文件
`WINDOWS_CERTIFICATE_PASSWORD`	PFX导出密码

GitHub Actions Example

GitHub Actions示例

yaml

- name: Import Windows certificate
  env:
    WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
    WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
  run: |
    echo "$WINDOWS_CERTIFICATE" | base64 --decode > certificate.pfx
    Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force)
  shell: pwsh

yaml

- name: Import Windows certificate
  env:
    WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
    WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
  run: |
    echo "$WINDOWS_CERTIFICATE" | base64 --decode > certificate.pfx
    Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force)
  shell: pwsh

Azure Key Vault Signing

Azure Key Vault签名

For cloud-based signing with Azure Key Vault:

Variable	Description
`AZURE_CLIENT_ID`	Azure AD application client ID
`AZURE_CLIENT_SECRET`	Azure AD application secret
`AZURE_TENANT_ID`	Azure AD tenant ID

Configure in

tauri.conf.json

json

{
  "bundle": {
    "windows": {
      "signCommand": "relic sign --key azurekeyvault --file %1"
    }
  }
}

使用Azure Key Vault进行云签名：

变量	描述
`AZURE_CLIENT_ID`	Azure AD应用程序客户端ID
`AZURE_CLIENT_SECRET`	Azure AD应用程序密钥
`AZURE_TENANT_ID`	Azure AD租户ID

在

tauri.conf.json

中配置：

json

{
  "bundle": {
    "windows": {
      "signCommand": "relic sign --key azurekeyvault --file %1"
    }
  }
}

Azure Trusted Signing

Azure可信签名

For Azure Code Signing service:

json

{
  "bundle": {
    "windows": {
      "signCommand": "trusted-signing-cli -e <endpoint> -a <account> -c <profile> %1"
    }
  }
}

使用Azure代码签名服务：

json

{
  "bundle": {
    "windows": {
      "signCommand": "trusted-signing-cli -e <endpoint> -a <account> -c <profile> %1"
    }
  }
}

Custom Sign Command

自定义签名命令

For other signing tools or cross-platform builds:

json

{
  "bundle": {
    "windows": {
      "signCommand": "your-signing-tool --sign %1"
    }
  }
}

The

%1

placeholder is replaced with the executable path.

适用于其他签名工具或跨平台构建：

json

{
  "bundle": {
    "windows": {
      "signCommand": "your-signing-tool --sign %1"
    }
  }
}

%1

占位符会被替换为可执行文件路径。

Quick Reference: All Environment Variables

快速参考：所有环境变量

Android

```
ANDROID_KEY_ALIAS
```
```
ANDROID_KEY_PASSWORD
```
```
ANDROID_KEY_BASE64
```

```
ANDROID_KEY_ALIAS
```
```
ANDROID_KEY_PASSWORD
```
```
ANDROID_KEY_BASE64
```

iOS (Manual)

iOS（手动）

```
IOS_CERTIFICATE
```
```
IOS_CERTIFICATE_PASSWORD
```
```
IOS_MOBILE_PROVISION
```

```
IOS_CERTIFICATE
```
```
IOS_CERTIFICATE_PASSWORD
```
```
IOS_MOBILE_PROVISION
```

iOS/macOS (API Key)

iOS/macOS（API密钥）

```
APPLE_API_ISSUER
```
```
APPLE_API_KEY
```
```
APPLE_API_KEY_PATH
```

```
APPLE_API_ISSUER
```
```
APPLE_API_KEY
```
```
APPLE_API_KEY_PATH
```

macOS (Certificate)

macOS（证书）

```
APPLE_CERTIFICATE
```
```
APPLE_CERTIFICATE_PASSWORD
```
```
APPLE_SIGNING_IDENTITY
```

```
APPLE_CERTIFICATE
```
```
APPLE_CERTIFICATE_PASSWORD
```
```
APPLE_SIGNING_IDENTITY
```

macOS (Apple ID Notarization)

macOS（Apple ID公证）

```
APPLE_ID
```
```
APPLE_PASSWORD
```
```
APPLE_TEAM_ID
```

```
APPLE_ID
```
```
APPLE_PASSWORD
```
```
APPLE_TEAM_ID
```

Linux

```
SIGN
```
```
SIGN_KEY
```
```
APPIMAGETOOL_SIGN_PASSPHRASE
```
```
APPIMAGETOOL_FORCE_SIGN
```

```
SIGN
```
```
SIGN_KEY
```
```
APPIMAGETOOL_SIGN_PASSPHRASE
```
```
APPIMAGETOOL_FORCE_SIGN
```

Windows

```
WINDOWS_CERTIFICATE
```
```
WINDOWS_CERTIFICATE_PASSWORD
```

```
WINDOWS_CERTIFICATE
```
```
WINDOWS_CERTIFICATE_PASSWORD
```

Azure (Windows)

Azure（Windows）

```
AZURE_CLIENT_ID
```
```
AZURE_CLIENT_SECRET
```
```
AZURE_TENANT_ID
```

```
AZURE_CLIENT_ID
```
```
AZURE_CLIENT_SECRET
```
```
AZURE_TENANT_ID
```