2023 Code Signing with HSM APIs (Digicert KeyLocker) - PFX no longer possible

[hadastoroP]

Hello,
https://tauri.app/v1/guides/distribution/sign-windows/
describes how to configure tauri.conf.json
to have the windows artifact signed with a PFX.

However according to:
https://knowledge.digicert.com/general-information/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022

It is no longer possible to produce a pfx with a local generated private key, but instead there is a need to work with an HSM provider for example like Digicert's Keylocker.

Question is - does tauri support signing against the Digicert Keylocker Service?
And if not -
How is it possible to sign the Windows Application?

[FabianLars]

Tauri does not support it yet, therefore the warning at the top of the guide :)

Here's a pretty good guide for how to sign your app nonetheless https://merlingough.co.uk/posts/ev-sign-tauri-app/ - it's not perfect though since the inner executable is not signed, only the installer (still better than nothing).

Adding support for cloud signing is a bit tricky because everyone does their own thing. I will for sure add support for AzureSignTool but eSigner for example seems a bit hard (at least looking at their own GitHub action) so maybe we have to expose multiple tauri build commands so you can sign it manually inbetween (a config for a custom sign command may just not be enough).

Anyway, I'm still mostly collecting data about what devs use before implementation anything but since AzureSignTool is a given I guess we could go ahead and implement at least that already.

[hadastoroP]

Thanks.
So If I understand correctly - in the link you referenced the actual signing was done by the githubAction and has nothing to do with the Tauri application - it's an external thing that happened after the build of the application - correct?

If so - can I asusme this might work for signing my Tauri applicaition on a github action with DIGICERT as the certificate authority
and DiGicert Keylocker as the Cloud HSM provider ?
this being: https://docs.digicert.com/fr/digicert-keylocker/ci-cd-integrations/plugins/github-custom-action-for-keypair-signing.html

[FabianLars]

So If I understand correctly - in the link you referenced the actual signing was done by the githubAction and has nothing to do with the Tauri application - it's an external thing that happened after the build of the application - correct?

Yes.

If so - can I asusme this might work for signing my Tauri applicaition on a github action with DIGICERT as the certificate authority
and DiGicert Keylocker as the Cloud HSM provider ?

Yes, I don't see why not.

[mavrick]

currently trying to build a solution for DigiCert KeyLocker - would love a built-in solution someday 😅

[mavrick]

got the installers signed but as stated above, the inner exe is not signed. a custom config file for signtool for the inner exe would be most useful.