CodeSign using Relic for Windows Executable in Azure DevOps

[dennypradipta]

Hello, I've set up relic.conf:

tokens:
  azure:
    type: azure

keys:
  azure:
    token: azure
    id: https://redacted.vault.azure.net/certificates/redacted

I use Azure DevOps, here's how I sign my executables

          # Install Relic for Windows code signing
          - bash: |
              curl -o relic.exe https://github.com/sassoftware/relic/releases/download/v8.2.0/relic-client-windows-amd64.exe
              chmod +x relic.exe
              # Convert Unix path to Windows path for compatibility
              RELIC_UNIX_PATH="$(pwd)/relic.exe"
              RELIC_WIN_PATH=$(cygpath -w "$RELIC_UNIX_PATH" 2>/dev/null || echo "$RELIC_UNIX_PATH")
              echo "##vso[task.setvariable variable=RELIC_PATH]$RELIC_WIN_PATH"
              echo "Relic Unix path: $RELIC_UNIX_PATH"
              echo "Relic Windows path: $RELIC_WIN_PATH"
            displayName: "Install Relic"
            condition: eq(variables['vmImage'], 'windows-latest')
            
          # Build with Tauri CLI (uses your package.json scripts/devDeps)
          - bash: |
              set -e
              export PATH="$(CARGO_HOME)/bin:$PATH"
              npm run tauri build -- $(buildArgs)
            env:
              CARGO_HOME: $(CARGO_HOME)
              RUSTUP_HOME: $(RUSTUP_HOME)
              TAURI_SIGNING_PRIVATE_KEY: $(TAURI_SIGNING_PRIVATE_KEY)
              TAURI_SIGNING_PRIVATE_KEY_PASSWORD: $(TAURI_SIGNING_PRIVATE_KEY_PASSWORD)
              APPLE_ID: $(APPLE_ID)
              APPLE_PASSWORD: $(APPLE_PASSWORD)
              APPLE_TEAM_ID: $(APPLE_TEAM_ID)
            displayName: "Build Tauri app"
            
          # Sign Windows binaries with Relic
          - bash: |
              set -e
              cd src-tauri

              echo "RELIC_PATH: $RELIC_PATH"
              echo "Working directory: $(pwd)"

              # Find all signable artifacts produced by Tauri
              # Note: Using separate find commands and combining results
              FILES=()

              # Find .msi files
              while IFS= read -r -d '' file; do
                FILES+=("$file")
              done < <(find target/release/bundle/msi -name '*.msi' -print0 2>/dev/null || true)

              # Find NSIS setup.exe files
              while IFS= read -r -d '' file; do
                FILES+=("$file")
              done < <(find target/release/bundle/nsis -name '*-setup.exe' -print0 2>/dev/null || true)

              if [ ${#FILES[@]} -eq 0 ]; then
                echo "##[error]No signable installer files found"
                exit 1
              fi

              echo "Found ${#FILES[@]} file(s) to sign:"
              printf '%s\n' "${FILES[@]}"

              # Sign each file with Relic
              for file in "${FILES[@]}"; do
                echo ""
                echo "Signing: $file"
                "$RELIC_PATH" sign --file "$file" --key azure --config relic.conf
                echo "✓ Successfully signed: $file"
              done

              echo ""
              echo "All files signed successfully"
            displayName: "Sign Windows binaries with Relic"
            condition: eq(variables['vmImage'], 'windows-latest')
            env:
              RELIC_PATH: $(RELIC_PATH)
              AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
              AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
              AZURE_TENANT_ID: $(AZURE_TENANT_ID)

In the logs I got:

RELIC_PATH: D:\a\1\s\relic.exe
Working directory: /d/a/1/s/src-tauri
Found 2 file(s) to sign:
target/release/bundle/msi/Redacted_0.9.7_x64_en-US.msi
target/release/bundle/nsis/Redacted_0.9.7_x64-setup.exe
 
Signing: target/release/bundle/msi/Redacted_0.9.7_x64_en-US.msi
✓ Successfully signed: target/release/bundle/msi/Redacted_0.9.7_x64_en-US.msi
 
Signing: target/release/bundle/nsis/Redacted_0.9.7_x64-setup.exe
✓ Successfully signed: target/release/bundle/nsis/Redacted_0.9.7_x64-setup.exe
 
All files signed successfully

I've tried to set up this using the steps from documentation:

{
  "bundle": {
    "windows": {
      "signCommand": "relic sign --file %1 --key azure --config relic.conf"
    }
  }
}

It keeps saying that I haven't installed Relic, which I already did in the "Install Relic" step.

My question is:

1. Am I doing it right? Currently the target/release/bundle/nsis/Redacted_0.9.7_x64-setup.exe is signed. But how do I check whether if it's signed or not?
2. If not, how can I fix the Azure Pipelines?

[FabianLars]

But how do I check whether if it's signed or not?

right click on the exe -> Properties should have a certificates/signatures tab (idk what it's in english).

Am I doing it right?

Hmm, your approach only signs the installer, not the app exe inside, so ideally you can make signCommand work instead.

If not, how can I fix the Azure Pipelines?

Either saving relic in a location that's in $PATH, or adding it to $PATH yourself, or injecting $RELIC_PATH into signCommand via tauri's --config flag should all work.