Sign Windows releases with MrTrust certificate

2026-05-16 01:15:02 +02:00
parent 312dee9f24
commit e66aa3d128
8 changed files with 82 additions and 14 deletions
--- a/apps/app/scripts/sign-windows-artifact.sh
+++ b/apps/app/scripts/sign-windows-artifact.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+artifact_path="${1:-}"
+if [ -z "${artifact_path}" ]; then
+	echo "No artifact path was provided for signing." >&2
+	exit 1
+fi
+
+if [ -z "${JSIGN_JAR:-}" ] || [ ! -f "${JSIGN_JAR}" ]; then
+	echo "JSIGN_JAR must point to the downloaded jsign jar." >&2
+	exit 1
+fi
+
+if [ -z "${MRTRUST_PFX_PATH:-}" ] || [ ! -f "${MRTRUST_PFX_PATH}" ]; then
+	echo "MRTRUST_PFX_PATH must point to the MrTrust code-signing PFX." >&2
+	exit 1
+fi
+
+if [ -z "${MRTRUST_PFX_PASSWORD:-}" ]; then
+	echo "MRTRUST_PFX_PASSWORD must be set." >&2
+	exit 1
+fi
+
+java -jar "${JSIGN_JAR}" sign \
+	--verbose \
+	--storetype PKCS12 \
+	--keystore "${MRTRUST_PFX_PATH}" \
+	--storepass env:MRTRUST_PFX_PASSWORD \
+	--tsaurl "https://timestamp.sectigo.com,http://timestamp.digicert.com" \
+	"${artifact_path}"
--- a/apps/app/tauri-release.conf.json
+++ b/apps/app/tauri-release.conf.json
@@ -3,18 +3,9 @@
 		"createUpdaterArtifacts": "v1Compatible",
 		"windows": {
 			"signCommand": {
-				"cmd": "jsign",
+				"cmd": "bash",
 				"args": [
-					"sign",
-					"--verbose",
-					"--storetype",
-					"DIGICERTONE",
-					"--keystore",
-					"https://clientauth.one.digicert.com",
-					"--storepass",
-					"env:DIGICERT_ONE_SIGNER_CREDENTIALS",
-					"--tsaurl",
-					"https://timestamp.sectigo.com,http://timestamp.digicert.com",
+					"scripts/sign-windows-artifact.sh",
 					"%1"
 				]
 			}