misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/docs/CODE_SIGNING.md
Gulshan Yadav 3d161afd9d feat: add desktop node installation CI/CD and documentation 
- Add Windows x86_64 build target to release.yml for synord/synor-cli
- Create release-wallet.yml workflow for Tauri desktop wallet builds
  - macOS (Intel + Apple Silicon), Windows, Linux support
  - Code signing integration (Apple + Windows certificates)
  - Tauri auto-update signing support
- Fix Dockerfiles to include src/ directory required by workspace
- Add CODE_SIGNING.md documentation for Apple/Windows certificates
2026-02-02 00:43:20 +05:30

4.7 KiB
Raw Permalink Blame History

Code Signing Setup Guide

This guide explains how to set up code signing for Synor desktop applications.

Why Code Sign?

Code signing provides:

  • User trust: No "unknown developer" warnings on macOS/Windows
  • Auto-updates: Tauri's updater requires signed binaries
  • Security: Users can verify the software hasn't been tampered with

macOS Code Signing

Prerequisites

  1. Apple Developer Account ($99/year): https://developer.apple.com/programs/enroll/
  2. Developer ID Application Certificate: For distributing outside the Mac App Store

Create Certificates

  1. Go to https://developer.apple.com/account/resources/certificates/list
  2. Click "+" to create a new certificate
  3. Select "Developer ID Application"
  4. Follow the instructions to create a CSR from Keychain Access
  5. Download and install the certificate

Export for CI/CD

# Export certificate as .p12 from Keychain Access
# Then base64 encode it for GitHub secrets:
base64 -i certificate.p12 -o certificate_base64.txt

GitHub Secrets Required

Secret Description How to Get
APPLE_CERTIFICATE Base64-encoded .p12 certificate Export from Keychain Access
APPLE_CERTIFICATE_PASSWORD Password for .p12 Set when exporting
APPLE_SIGNING_IDENTITY Certificate name e.g., "Developer ID Application: G1 Technologies (TEAMID)"
APPLE_ID Your Apple ID email Your developer account email
APPLE_PASSWORD App-specific password Generate at appleid.apple.com
APPLE_TEAM_ID 10-character team ID Find at developer.apple.com/account

Generate App-Specific Password

  1. Go to https://appleid.apple.com/account/manage
  2. Sign in with your Apple ID
  3. Under "App-Specific Passwords", click "Generate Password"
  4. Name it "Synor CI" and save the password

Notarization

Apple requires notarization for apps distributed outside the App Store. The Tauri action handles this automatically when the secrets are set.

Windows Code Signing

Options

  1. OV (Organization Validation) Certificate: ~$200-500/year

    • From providers like DigiCert, Sectigo, GlobalSign
    • Requires business verification

  2. EV (Extended Validation) Certificate: ~$400-700/year

    • Higher trust level, no SmartScreen warnings
    • Requires hardware token (USB)

Purchase Certificate

  1. Choose a provider (DigiCert, Sectigo, GlobalSign, etc.)
  2. Complete organization validation
  3. Receive certificate file (.pfx)

GitHub Secrets Required

Secret Description
WINDOWS_CERTIFICATE Base64-encoded .pfx certificate
WINDOWS_CERTIFICATE_PASSWORD Password for .pfx

Encode Certificate

[Convert]::ToBase64String([IO.File]::ReadAllBytes("certificate.pfx")) | Out-File certificate_base64.txt

Tauri Auto-Update Signing

Generate Signing Keypair

# Generate keypair (do this once, store securely)
cargo tauri signer generate -w ~/.tauri/synor-wallet.key

This outputs:

  • Private key (save to TAURI_SIGNING_PRIVATE_KEY secret)
  • Public key (already in tauri.conf.json)

GitHub Secrets Required

Secret Description
TAURI_SIGNING_PRIVATE_KEY Private key from signer generate
TAURI_SIGNING_PRIVATE_KEY_PASSWORD Password if you set one

Update tauri.conf.json

The public key is already configured in apps/desktop-wallet/src-tauri/tauri.conf.json:

"updater": {
  "endpoints": [
    "https://releases.synor.io/wallet/{{target}}/{{arch}}/{{current_version}}"
  ],
  "pubkey": "YOUR_PUBLIC_KEY_HERE"
}

Setting Up GitHub Secrets

  1. Go to your repository on GitHub
  2. Navigate to Settings → Secrets and variables → Actions
  3. Click "New repository secret" for each secret

Testing Without Signing

For development and testing, you can build without signing:

cd apps/desktop-wallet
pnpm tauri:build

Users will see warnings, but the app will still work.

Verification

macOS

# Check if app is signed
codesign -dv --verbose=4 "Synor Wallet.app"

# Check if notarized
spctl -a -v "Synor Wallet.app"

Windows

# Check signature
Get-AuthenticodeSignature "Synor Wallet.exe"

Cost Summary

Item Cost (Annual)
Apple Developer Program $99
Windows OV Certificate $200-500
Windows EV Certificate $400-700

Minimum recommended: Apple + Windows OV = ~$300-600/year

Resources