feat(core): add `fips_compliant` wix config option, closes #4541 (#4843)

.changes/fips-compliant-env-var.md

@@ -0,0 +1,6 @@
+---
+"cli.rs": patch
+"cli.js": patch
+---
+
+Enable WiX FIPS compliance when the `TAURI_FIPS_COMPLIANT` environment variable is set to `true`.

.changes/fips-compliant.md

@@ -0,0 +1,5 @@
+---
+"tauri-bundler": patch
+---
+
+Add `fips_compliant` configuration option for WiX.

tooling/bundler/src/bundle/settings.rs

@@ -237,6 +237,8 @@ pub struct WixSettings {
 
   /// The required dimensions are 493px × 312px.
   pub dialog_image_path: Option<PathBuf>,
+  /// Enables FIPS compliant algorithms.
+  pub fips_compliant: bool,
 }
 
 /// The Windows bundle settings.

tooling/bundler/src/bundle/windows/msi/wix.rs

@@ -305,7 +305,7 @@ fn run_candle(
     .find(|bin| bin.main())
     .ok_or_else(|| anyhow::anyhow!("Failed to get main binary"))?;
 
-  let args = vec![
+  let mut args = vec![
     "-arch".to_string(),
     arch.to_string(),
     wxs_file_path.to_string_lossy().to_string(),
@@ -315,6 +315,16 @@ fn run_candle(
     ),
   ];
 
+  if settings
+    .windows()
+    .wix
+    .as_ref()
+    .map(|w| w.fips_compliant)
+    .unwrap_or_default()
+  {
+    args.push("-fips".into());
+  }
+
   let candle_exe = wix_toolset_path.join("candle.exe");
 
   info!(action = "Running"; "candle for {:?}", wxs_file_path);

tooling/cli/src/helpers/config.rs

@@ -11,7 +11,7 @@ pub use tauri_utils::config::*;
 
 use std::{
   collections::HashMap,
-  env::set_var,
+  env::{set_var, var_os},
   ffi::OsStr,
   process::exit,
   sync::{Arc, Mutex},
@@ -92,6 +92,7 @@ pub fn wix_settings(config: WixConfig) -> tauri_bundler::WixSettings {
     enable_elevated_update_task: config.enable_elevated_update_task,
     banner_path: config.banner_path,
     dialog_image_path: config.dialog_image_path,
+    fips_compliant: var_os("TAURI_FIPS_COMPLIANT").map_or(false, |v| v == "true"),
   }
 }