tauri-workspace/docs/guides/bundler/sign-windows.md

---

title: Windows - Code signing guide locally & with Github Actions

sidebar_label: Windows - Code signing

import Alert from '@theme/Alert'

Intro

Code-signing will add a level of authenticity to your application, while it is not required it can often improve the user experience for your users.

Prerequisites

• Windows - you can likely use other platforms, but this tutorial is using Powershell native features.
• Code signing certificate - you can aqquire one of these on services such as Digicert.com, Comodo.com, & Godaddy.com. In this guide we are using Comodo.com
• A working tauri application

Getting Started

There are a few things we will have to do to get our windows installation prepared for code signing. This includes converting our certificate to a speific format, installing this certificate, & then decoding required information from certificate that is required by tauri.

A. Convert your .cer to .pfx

1. You will need the following:

   • certificate file (mine is cert.cer)
   • private key file (mine is private-key.key)

2. Open up a command prompt and change to your current directory using cd Documents/Certs

3. Convert your .cer to a .pfx using openssl pkcs12 -export -in cert.cer -inkey private-key.key -out certificate.pfx

4. You will be prompted to enter an export password DON'T FORGET IT!

B. Import your .pfx file into the keystore.

We will now need to import our .pfx file.

1. Assign your export password to a variable using $WINDOWS_PFX_PASSWORD = 'MYPASSWORD'

2. Now Import the certificate using Import-PfxCertificate -FilePath Certs/certificate.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString -String $env:WINDOWS_PFX_PASSWORD -Force -AsPlainText)

C. Prepare Variables

1. We will need the SHA-1 thumbprint of the certificate, you can get this using openssl pkcs12 -info -in certificate.pfx and look under for following

   Bag Attributes
   localKeyID: A1 B1 A2 B2 A3 B3 A4 B4 A5 B5 A6 B6 A7 B7 A8 B8 A9 B9 A0 B0
   

2. You will capture the localKeyID but with no spaces, in this example it would be A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0. This is our certificateThumbprint.

3. We will need the SHA digest algorythm used for your certificate (Hint: this is likely sha256

4. We will also need a timestamp url, this is a time server used to verify the time of the certificate signing. Im using http://timestamp.comodoca.com but whoever you got your certificate from likely has one aswell.

Prepare tauri.conf.json file

1. Now that we have our certificateThumbprint, digestAlgorithm, & timestampUrl we will open up the tauri.conf.json.

2. In the tauri.conf.json you will look for the tauri -> bundle -> windows section. You will see there are three variable for the information we have captured. Fill it out like below.

   "windows": {
       "certificateThumbprint": "A1B1A2B2A3B3A4B4A5B5A6B6A7B7A8B8A9B9A0B0",
       "digestAlgorithm": "sha256",
       "timestampUrl": "http://timestamp.comodoca.com"
   }
   

3. Save, and run yarn | yarn build

4. In the console output you will see the following output.

   info: signing app
   info: running signtool "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.19041.0\\x64\\signtool.exe"
   info: "Done Adding Additional Store\r\nSuccessfully signed: APPLICATION FILE PATH HERE
   

which shows you have successfully signed the .exe.

And thats it! You have successfully signed your .exe file.