# Code Signing Setup Guide This guide explains how to set up code signing for Synor desktop applications. ## Why Code Sign? Code signing provides: - **User trust**: No "unknown developer" warnings on macOS/Windows - **Auto-updates**: Tauri's updater requires signed binaries - **Security**: Users can verify the software hasn't been tampered with ## macOS Code Signing ### Prerequisites 1. **Apple Developer Account** ($99/year): https://developer.apple.com/programs/enroll/ 2. **Developer ID Application Certificate**: For distributing outside the Mac App Store ### Create Certificates 1. Go to https://developer.apple.com/account/resources/certificates/list 2. Click "+" to create a new certificate 3. Select "Developer ID Application" 4. Follow the instructions to create a CSR from Keychain Access 5. Download and install the certificate ### Export for CI/CD ```bash # Export certificate as .p12 from Keychain Access # Then base64 encode it for GitHub secrets: base64 -i certificate.p12 -o certificate_base64.txt ``` ### GitHub Secrets Required | Secret | Description | How to Get | |--------|-------------|------------| | `APPLE_CERTIFICATE` | Base64-encoded .p12 certificate | Export from Keychain Access | | `APPLE_CERTIFICATE_PASSWORD` | Password for .p12 | Set when exporting | | `APPLE_SIGNING_IDENTITY` | Certificate name | e.g., "Developer ID Application: G1 Technologies (TEAMID)" | | `APPLE_ID` | Your Apple ID email | Your developer account email | | `APPLE_PASSWORD` | App-specific password | Generate at appleid.apple.com | | `APPLE_TEAM_ID` | 10-character team ID | Find at developer.apple.com/account | ### Generate App-Specific Password 1. Go to https://appleid.apple.com/account/manage 2. Sign in with your Apple ID 3. Under "App-Specific Passwords", click "Generate Password" 4. Name it "Synor CI" and save the password ### Notarization Apple requires notarization for apps distributed outside the App Store. The Tauri action handles this automatically when the secrets are set. ## Windows Code Signing ### Options 1. **OV (Organization Validation) Certificate**: ~$200-500/year - From providers like DigiCert, Sectigo, GlobalSign - Requires business verification 2. **EV (Extended Validation) Certificate**: ~$400-700/year - Higher trust level, no SmartScreen warnings - Requires hardware token (USB) ### Purchase Certificate 1. Choose a provider (DigiCert, Sectigo, GlobalSign, etc.) 2. Complete organization validation 3. Receive certificate file (.pfx) ### GitHub Secrets Required | Secret | Description | |--------|-------------| | `WINDOWS_CERTIFICATE` | Base64-encoded .pfx certificate | | `WINDOWS_CERTIFICATE_PASSWORD` | Password for .pfx | ### Encode Certificate ```powershell [Convert]::ToBase64String([IO.File]::ReadAllBytes("certificate.pfx")) | Out-File certificate_base64.txt ``` ## Tauri Auto-Update Signing ### Generate Signing Keypair ```bash # Generate keypair (do this once, store securely) cargo tauri signer generate -w ~/.tauri/synor-wallet.key ``` This outputs: - Private key (save to `TAURI_SIGNING_PRIVATE_KEY` secret) - Public key (already in `tauri.conf.json`) ### GitHub Secrets Required | Secret | Description | |--------|-------------| | `TAURI_SIGNING_PRIVATE_KEY` | Private key from signer generate | | `TAURI_SIGNING_PRIVATE_KEY_PASSWORD` | Password if you set one | ### Update tauri.conf.json The public key is already configured in `apps/desktop-wallet/src-tauri/tauri.conf.json`: ```json "updater": { "endpoints": [ "https://releases.synor.io/wallet/{{target}}/{{arch}}/{{current_version}}" ], "pubkey": "YOUR_PUBLIC_KEY_HERE" } ``` ## Setting Up GitHub Secrets 1. Go to your repository on GitHub 2. Navigate to Settings → Secrets and variables → Actions 3. Click "New repository secret" for each secret ## Testing Without Signing For development and testing, you can build without signing: ```bash cd apps/desktop-wallet pnpm tauri:build ``` Users will see warnings, but the app will still work. ## Verification ### macOS ```bash # Check if app is signed codesign -dv --verbose=4 "Synor Wallet.app" # Check if notarized spctl -a -v "Synor Wallet.app" ``` ### Windows ```powershell # Check signature Get-AuthenticodeSignature "Synor Wallet.exe" ``` ## Cost Summary | Item | Cost (Annual) | |------|---------------| | Apple Developer Program | $99 | | Windows OV Certificate | $200-500 | | Windows EV Certificate | $400-700 | **Minimum recommended**: Apple + Windows OV = ~$300-600/year ## Resources - [Tauri Code Signing Guide](https://tauri.app/guides/building/code-signing/) - [Apple Developer Documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) - [Microsoft Authenticode](https://docs.microsoft.com/en-us/windows/win32/seccrypto/authenticode)