misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/docs/CODE_SIGNING.md
Gulshan Yadav 3d161afd9d feat: add desktop node installation CI/CD and documentation 
- Add Windows x86_64 build target to release.yml for synord/synor-cli
- Create release-wallet.yml workflow for Tauri desktop wallet builds
  - macOS (Intel + Apple Silicon), Windows, Linux support
  - Code signing integration (Apple + Windows certificates)
  - Tauri auto-update signing support
- Fix Dockerfiles to include src/ directory required by workspace
- Add CODE_SIGNING.md documentation for Apple/Windows certificates
2026-02-02 00:43:20 +05:30

171 lines
4.7 KiB
Markdown
Raw Blame History

# Code Signing Setup Guide
This guide explains how to set up code signing for Synor desktop applications.
## Why Code Sign?
Code signing provides:
- **User trust**: No "unknown developer" warnings on macOS/Windows
- **Auto-updates**: Tauri's updater requires signed binaries
- **Security**: Users can verify the software hasn't been tampered with
## macOS Code Signing
### Prerequisites
1. **Apple Developer Account** ($99/year): https://developer.apple.com/programs/enroll/
2. **Developer ID Application Certificate**: For distributing outside the Mac App Store
### Create Certificates
1. Go to https://developer.apple.com/account/resources/certificates/list
2. Click "+" to create a new certificate
3. Select "Developer ID Application"
4. Follow the instructions to create a CSR from Keychain Access
5. Download and install the certificate
### Export for CI/CD
```bash
# Export certificate as .p12 from Keychain Access
# Then base64 encode it for GitHub secrets:
base64 -i certificate.p12 -o certificate_base64.txt
```
### GitHub Secrets Required
| Secret | Description | How to Get |
|--------|-------------|------------|
| `APPLE_CERTIFICATE` | Base64-encoded .p12 certificate | Export from Keychain Access |
| `APPLE_CERTIFICATE_PASSWORD` | Password for .p12 | Set when exporting |
| `APPLE_SIGNING_IDENTITY` | Certificate name | e.g., "Developer ID Application: G1 Technologies (TEAMID)" |
| `APPLE_ID` | Your Apple ID email | Your developer account email |
| `APPLE_PASSWORD` | App-specific password | Generate at appleid.apple.com |
| `APPLE_TEAM_ID` | 10-character team ID | Find at developer.apple.com/account |
### Generate App-Specific Password
1. Go to https://appleid.apple.com/account/manage
2. Sign in with your Apple ID
3. Under "App-Specific Passwords", click "Generate Password"
4. Name it "Synor CI" and save the password
### Notarization
Apple requires notarization for apps distributed outside the App Store. The Tauri action handles this automatically when the secrets are set.
## Windows Code Signing
### Options
1. **OV (Organization Validation) Certificate**: ~$200-500/year
- From providers like DigiCert, Sectigo, GlobalSign
- Requires business verification
2. **EV (Extended Validation) Certificate**: ~$400-700/year
- Higher trust level, no SmartScreen warnings
- Requires hardware token (USB)
### Purchase Certificate
1. Choose a provider (DigiCert, Sectigo, GlobalSign, etc.)
2. Complete organization validation
3. Receive certificate file (.pfx)
### GitHub Secrets Required
| Secret | Description |
|--------|-------------|
| `WINDOWS_CERTIFICATE` | Base64-encoded .pfx certificate |
| `WINDOWS_CERTIFICATE_PASSWORD` | Password for .pfx |
### Encode Certificate
```powershell
[Convert]::ToBase64String([IO.File]::ReadAllBytes("certificate.pfx")) | Out-File certificate_base64.txt
```
## Tauri Auto-Update Signing
### Generate Signing Keypair
```bash
# Generate keypair (do this once, store securely)
cargo tauri signer generate -w ~/.tauri/synor-wallet.key
```
This outputs:
- Private key (save to `TAURI_SIGNING_PRIVATE_KEY` secret)
- Public key (already in `tauri.conf.json`)
### GitHub Secrets Required
| Secret | Description |
|--------|-------------|
| `TAURI_SIGNING_PRIVATE_KEY` | Private key from signer generate |
| `TAURI_SIGNING_PRIVATE_KEY_PASSWORD` | Password if you set one |
### Update tauri.conf.json
The public key is already configured in `apps/desktop-wallet/src-tauri/tauri.conf.json`:
```json
"updater": {
"endpoints": [
"https://releases.synor.io/wallet/{{target}}/{{arch}}/{{current_version}}"
],
"pubkey": "YOUR_PUBLIC_KEY_HERE"
}
```
## Setting Up GitHub Secrets
1. Go to your repository on GitHub
2. Navigate to Settings → Secrets and variables → Actions
3. Click "New repository secret" for each secret
## Testing Without Signing
For development and testing, you can build without signing:
```bash
cd apps/desktop-wallet
pnpm tauri:build
```
Users will see warnings, but the app will still work.
## Verification
### macOS
```bash
# Check if app is signed
codesign -dv --verbose=4 "Synor Wallet.app"
# Check if notarized
spctl -a -v "Synor Wallet.app"
```
### Windows
```powershell
# Check signature
Get-AuthenticodeSignature "Synor Wallet.exe"
```
## Cost Summary
| Item | Cost (Annual) |
|------|---------------|
| Apple Developer Program | $99 |
| Windows OV Certificate | $200-500 |
| Windows EV Certificate | $400-700 |
**Minimum recommended**: Apple + Windows OV = ~$300-600/year
## Resources
- [Tauri Code Signing Guide](https://tauri.app/guides/building/code-signing/)
- [Apple Developer Documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution)
- [Microsoft Authenticode](https://docs.microsoft.com/en-us/windows/win32/seccrypto/authenticode)
Reference in a new issue View git blame Copy permalink