Agent skill
signing-tauri-apps
Guides the user through Tauri application code signing and notarization for Android, iOS, Linux, macOS, and Windows platforms including certificate setup and configuration.
Install this agent skill to your Project
npx add-skill https://github.com/dchuk/claude-code-tauri-skills/tree/main/tauri/tauri-code-signing
SKILL.md
Tauri Code Signing Skill
This skill provides comprehensive guidance for code signing Tauri applications across all supported platforms.
Platform Overview
| Platform | Requirement | Certificate Type |
|---|---|---|
| Android | Required for Play Store | Java Keystore (JKS) |
| iOS | Required for distribution | Apple Developer Certificate |
| Linux | Optional (enhances trust) | GPG Key |
| macOS | Required for distribution | Developer ID / Apple Distribution |
| Windows | Required (SmartScreen) | OV or EV Certificate |
Android Signing
Generate Keystore
macOS/Linux:
keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload
Windows:
keytool -genkey -v -keystore $env:USERPROFILE\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload
Configuration File
Create src-tauri/gen/android/keystore.properties:
password=<your-password>
keyAlias=upload
storeFile=/path/to/upload-keystore.jks
IMPORTANT: Never commit keystore.properties to version control.
Gradle Configuration
Modify src-tauri/gen/android/app/build.gradle.kts:
import java.io.FileInputStream
// Add before android { } block
val keystorePropertiesFile = rootProject.file("keystore.properties")
val keystoreProperties = java.util.Properties()
if (keystorePropertiesFile.exists()) {
keystoreProperties.load(FileInputStream(keystorePropertiesFile))
}
android {
// ... existing config ...
signingConfigs {
create("release") {
keyAlias = keystoreProperties["keyAlias"] as String
keyPassword = keystoreProperties["password"] as String
storeFile = file(keystoreProperties["storeFile"] as String)
storePassword = keystoreProperties["password"] as String
}
}
buildTypes {
release {
signingConfig = signingConfigs.getByName("release")
// ... other release config ...
}
}
}
CI/CD Environment Variables
| Variable | Description |
|---|---|
ANDROID_KEY_ALIAS |
Key alias (e.g., upload) |
ANDROID_KEY_PASSWORD |
Keystore password |
ANDROID_KEY_BASE64 |
Base64-encoded keystore file |
GitHub Actions Example:
- name: Setup Android signing
run: |
cd src-tauri/gen/android
echo "keyAlias=${{ secrets.ANDROID_KEY_ALIAS }}" > keystore.properties
echo "password=${{ secrets.ANDROID_KEY_PASSWORD }}" >> keystore.properties
base64 -d <<< "${{ secrets.ANDROID_KEY_BASE64 }}" > $RUNNER_TEMP/keystore.jks
echo "storeFile=$RUNNER_TEMP/keystore.jks" >> keystore.properties
iOS Signing
Prerequisites
- Apple Developer Program enrollment ($99/year)
- Bundle identifier registered in App Store Connect
- iOS code signing certificate
- Mobile provisioning profile
Automatic Signing (Recommended)
For local development, authenticate through Xcode Settings > Accounts.
For CI/CD, create an App Store Connect API key and set:
| Variable | Description |
|---|---|
APPLE_API_ISSUER |
Issuer ID from App Store Connect |
APPLE_API_KEY |
Key ID from App Store Connect |
APPLE_API_KEY_PATH |
Path to the .p8 private key file |
Manual Signing
| Variable | Description |
|---|---|
IOS_CERTIFICATE |
Base64-encoded .p12 certificate |
IOS_CERTIFICATE_PASSWORD |
Password used when exporting certificate |
IOS_MOBILE_PROVISION |
Base64-encoded provisioning profile |
Certificate Types by Distribution Method
| Distribution | Certificate Type |
|---|---|
| Debugging | Apple Development or iOS App Development |
| App Store | Apple Distribution or iOS Distribution |
| Ad Hoc | Apple Distribution or iOS Distribution |
Export Certificate
- Open Keychain Access
- Find your certificate
- Right-click the private key
- Select "Export" and save as
.p12 - Convert to base64:
base64 -i certificate.p12
Create Provisioning Profile
- Register App ID with matching bundle identifier
- Create provisioning profile for your distribution method
- Link certificate to profile
- Download and convert:
base64 -i profile.mobileprovision
Linux Signing (AppImage)
Generate GPG Key
gpg2 --full-gen-key
Back up the key securely.
Environment Variables
| Variable | Description |
|---|---|
SIGN |
Set to 1 to enable signing |
SIGN_KEY |
GPG Key ID (optional, uses default if not set) |
APPIMAGETOOL_SIGN_PASSPHRASE |
Key password (required for CI/CD) |
APPIMAGETOOL_FORCE_SIGN |
Set to 1 to fail build on signing error |
Build with Signing
SIGN=1 APPIMAGETOOL_SIGN_PASSPHRASE="your-passphrase" npm run tauri build
View Embedded Signature
./src-tauri/target/release/bundle/appimage/app_version_amd64.AppImage --appimage-signature
Validate Signature
Download the validate tool from AppImageUpdate releases:
chmod +x validate-x86_64.AppImage
./validate-x86_64.AppImage your-app.AppImage
Note: AppImage does not auto-validate signatures. Users must manually verify.
macOS Signing and Notarization
Prerequisites
- Apple Developer Program enrollment ($99/year)
- Mac computer for code signing
- Free accounts cannot notarize applications
Certificate Types
| Certificate | Use Case |
|---|---|
| Apple Distribution | App Store submissions |
| Developer ID Application | Distribution outside App Store |
Create Certificate
- Generate Certificate Signing Request (CSR) from Keychain Access
- Upload CSR at Apple Developer > Certificates, IDs & Profiles
- Download and double-click
.certo install
Configuration
tauri.conf.json:
{
"bundle": {
"macOS": {
"signingIdentity": "Developer ID Application: Your Name (TEAM_ID)"
}
}
}
Environment Variables for CI/CD
Certificate Variables:
| Variable | Description |
|---|---|
APPLE_CERTIFICATE |
Base64-encoded .p12 certificate |
APPLE_CERTIFICATE_PASSWORD |
Password for exported certificate |
APPLE_SIGNING_IDENTITY |
Certificate name in keychain |
Notarization - Option 1: App Store Connect API (Recommended):
| Variable | Description |
|---|---|
APPLE_API_ISSUER |
Issuer ID |
APPLE_API_KEY |
Key ID |
APPLE_API_KEY_PATH |
Path to .p8 private key |
Notarization - Option 2: Apple ID:
| Variable | Description |
|---|---|
APPLE_ID |
Apple ID email |
APPLE_PASSWORD |
App-specific password |
APPLE_TEAM_ID |
Team identifier |
Export Certificate for CI/CD
# Export from Keychain as .p12, then:
base64 -i certificate.p12 | pbcopy
Ad-Hoc Signing (Testing Only)
For unsigned distribution or testing without Apple credentials:
{
"bundle": {
"macOS": {
"signingIdentity": "-"
}
}
}
GitHub Actions Example
- name: Import certificate
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p actions temp.keychain
security import certificate.p12 -k temp.keychain -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign
security list-keychains -s temp.keychain
security unlock-keychain -p actions temp.keychain
security set-key-partition-list -S apple-tool:,apple: -s -k actions temp.keychain
Windows Signing
Certificate Types
| Type | SmartScreen | Availability |
|---|---|---|
| OV (Organization Validated) | Builds reputation over time | Before June 1, 2023 |
| EV (Extended Validation) | Immediate trust | Required after June 1, 2023 |
Note: Certificates obtained after June 1, 2023 require EV certificates for immediate SmartScreen trust.
Configuration
tauri.conf.json:
{
"bundle": {
"windows": {
"certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
"digestAlgorithm": "sha256",
"timestampUrl": "http://timestamp.sectigo.com"
}
}
}
Find Certificate Thumbprint
- Open certificate details
- Go to Details tab
- Find "Thumbprint" field
- Copy the hex string (remove spaces)
Common Timestamp URLs
http://timestamp.sectigo.comhttp://timestamp.digicert.comhttp://timestamp.globalsign.com
Convert Certificate to PFX
openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx
Environment Variables for CI/CD
| Variable | Description |
|---|---|
WINDOWS_CERTIFICATE |
Base64-encoded .pfx file |
WINDOWS_CERTIFICATE_PASSWORD |
PFX export password |
GitHub Actions Example
- name: Import Windows certificate
env:
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
run: |
echo "$WINDOWS_CERTIFICATE" | base64 --decode > certificate.pfx
Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force)
shell: pwsh
Azure Key Vault Signing
For cloud-based signing with Azure Key Vault:
| Variable | Description |
|---|---|
AZURE_CLIENT_ID |
Azure AD application client ID |
AZURE_CLIENT_SECRET |
Azure AD application secret |
AZURE_TENANT_ID |
Azure AD tenant ID |
Configure in tauri.conf.json:
{
"bundle": {
"windows": {
"signCommand": "relic sign --key azurekeyvault --file %1"
}
}
}
Azure Trusted Signing
For Azure Code Signing service:
{
"bundle": {
"windows": {
"signCommand": "trusted-signing-cli -e <endpoint> -a <account> -c <profile> %1"
}
}
}
Custom Sign Command
For other signing tools or cross-platform builds:
{
"bundle": {
"windows": {
"signCommand": "your-signing-tool --sign %1"
}
}
}
The %1 placeholder is replaced with the executable path.
Quick Reference: All Environment Variables
Android
ANDROID_KEY_ALIASANDROID_KEY_PASSWORDANDROID_KEY_BASE64
iOS (Manual)
IOS_CERTIFICATEIOS_CERTIFICATE_PASSWORDIOS_MOBILE_PROVISION
iOS/macOS (API Key)
APPLE_API_ISSUERAPPLE_API_KEYAPPLE_API_KEY_PATH
macOS (Certificate)
APPLE_CERTIFICATEAPPLE_CERTIFICATE_PASSWORDAPPLE_SIGNING_IDENTITY
macOS (Apple ID Notarization)
APPLE_IDAPPLE_PASSWORDAPPLE_TEAM_ID
Linux
SIGNSIGN_KEYAPPIMAGETOOL_SIGN_PASSPHRASEAPPIMAGETOOL_FORCE_SIGN
Windows
WINDOWS_CERTIFICATEWINDOWS_CERTIFICATE_PASSWORD
Azure (Windows)
AZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_ID
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
understanding-tauri-ipc
Teaches the assistant about Tauri IPC (Inter-Process Communication) patterns including brownfield and isolation approaches for secure message passing between frontend and Rust backend.
testing-tauri-apps
Guides developers through testing Tauri applications including unit testing with mock runtime, mocking Tauri APIs, WebDriver end-to-end testing with Selenium and WebdriverIO, and CI integration with GitHub Actions.
migrating-tauri-apps
Assists users with migrating Tauri applications from v1 to v2 stable, and from v2 beta to v2 stable, covering breaking changes, configuration updates, API migrations, and plugin system changes.
developing-tauri-plugins
Guides the user through Tauri plugin development, including creating plugin extensions, configuring permissions, and building mobile plugins for iOS and Android platforms.
managing-tauri-plugin-permissions
Guides users through configuring Tauri plugin permissions, capabilities, and security. Covers platform-specific capabilities, window-targeted permissions, using official and community plugin permissions, and writing custom plugin permissions with scopes.
optimizing-tauri-binary-size
Guides users through Tauri binary size optimization techniques to produce small, efficient desktop application bundles using Cargo profile settings and build configurations.
Didn't find tool you were looking for?