Add Windows release signing workflow (#569)

Finesssee · mehmetozguldev · web-flow · commit 3a25af47a4f2 · 2026-04-06T18:35:59.000+03:00
* Add Windows release signing workflow

* Fix Windows signing workflow and remove docs file

Skip signing gracefully when certificate secrets are not configured
instead of failing the entire release. Add certutil exit code check
to catch malformed base64 certificates early. Remove unsupported tsp
field from Tauri config injection. Remove docs/contributing.mdx since
documentation now lives in the www repository.

---------

Co-authored-by: Mehmet Özgül &lt;mehmetozguldev@gmail.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -198,6 +198,57 @@ jobs:
             fi
           done < <(find src/extensions/bundled -type f -perm -111 -print0)
 
+      - name: Import Windows Certificate (Windows only)
+        if: matrix.os == 'windows'
+        shell: pwsh
+        env:
+          WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
+          WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+          WINDOWS_TIMESTAMP_URL: ${{ secrets.WINDOWS_TIMESTAMP_URL }}
+        run: |
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_CERTIFICATE) -or
+              [string]::IsNullOrWhiteSpace($env:WINDOWS_CERTIFICATE_PASSWORD)) {
+            Write-Host "Windows signing secrets not configured, skipping code signing."
+            "WINDOWS_SIGNING_SKIP=true" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+            exit 0
+          }
+
+          New-Item -ItemType Directory -Force -Path certificate | Out-Null
+          Set-Content -Path certificate/tempCert.txt -Value $env:WINDOWS_CERTIFICATE
+          certutil -decode certificate/tempCert.txt certificate/certificate.pfx
+          if ($LASTEXITCODE -ne 0) {
+            throw "Failed to decode Windows certificate from base64."
+          }
+
+          $securePassword = ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force
+          $importedCertificates = Import-PfxCertificate `
+            -FilePath certificate/certificate.pfx `
+            -CertStoreLocation Cert:\CurrentUser\My `
+            -Password $securePassword
+
+          $signingCertificate = $importedCertificates |
+            Where-Object { $_.HasPrivateKey } |
+            Select-Object -First 1
+
+          if (-not $signingCertificate) {
+            throw "Failed to import a Windows signing certificate with a private key."
+          }
+
+          "WINDOWS_CERTIFICATE_THUMBPRINT=$($signingCertificate.Thumbprint)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          "WINDOWS_DIGEST_ALGORITHM=sha256" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_TIMESTAMP_URL)) {
+            "WINDOWS_TIMESTAMP_URL=http://time.certum.pl/" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          } else {
+            "WINDOWS_TIMESTAMP_URL=$($env:WINDOWS_TIMESTAMP_URL)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          }
+
+          Remove-Item -Recurse -Force certificate
+
+      - name: Prepare Tauri Windows signing (Windows only)
+        if: matrix.os == 'windows' && env.WINDOWS_SIGNING_SKIP != 'true'
+        run: node scripts/windows/prepare-tauri-signing.mjs
+
       - uses: tauri-apps/tauri-action@v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/scripts/windows/prepare-tauri-signing.mjs b/scripts/windows/prepare-tauri-signing.mjs
@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+const tauriConfigPath = resolve(process.cwd(), "src-tauri/tauri.conf.json");
+
+const certificateThumbprint = process.env.WINDOWS_CERTIFICATE_THUMBPRINT?.trim();
+const timestampUrl = process.env.WINDOWS_TIMESTAMP_URL?.trim() || "http://time.certum.pl/";
+const digestAlgorithm = process.env.WINDOWS_DIGEST_ALGORITHM?.trim() || "sha256";
+
+if (!certificateThumbprint) {
+  throw new Error("WINDOWS_CERTIFICATE_THUMBPRINT is required to prepare Tauri Windows signing.");
+}
+
+const tauriConfig = JSON.parse(readFileSync(tauriConfigPath, "utf8"));
+tauriConfig.bundle ??= {};
+tauriConfig.bundle.windows ??= {};
+tauriConfig.bundle.windows.certificateThumbprint = certificateThumbprint;
+tauriConfig.bundle.windows.digestAlgorithm = digestAlgorithm;
+tauriConfig.bundle.windows.timestampUrl = timestampUrl;
+
+writeFileSync(tauriConfigPath, `${JSON.stringify(tauriConfig, null, 2)}\n`);
+
+const maskedThumbprint = `${certificateThumbprint.slice(0, 8)}...${certificateThumbprint.slice(-6)}`;
+console.log(`Prepared Windows signing for thumbprint ${maskedThumbprint}`);
+console.log(`Timestamp URL: ${timestampUrl}`);
