athasdev · Finesssee · Mar 10, 2026 · Mar 12, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -134,6 +134,62 @@ jobs:
           # Verify certificate is available
           security find-identity -v -p codesigning
 
+      - name: Import Windows Certificate (Windows only)
+        if: matrix.os == 'windows'
+        shell: pwsh
+        env:
+          WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
+          WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+          WINDOWS_TIMESTAMP_URL: ${{ secrets.WINDOWS_TIMESTAMP_URL }}
+          WINDOWS_TIMESTAMP_USE_TSP: ${{ secrets.WINDOWS_TIMESTAMP_USE_TSP }}
+        run: |
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_CERTIFICATE)) {
+            throw "Missing WINDOWS_CERTIFICATE secret."
+          }
+
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_CERTIFICATE_PASSWORD)) {
+            throw "Missing WINDOWS_CERTIFICATE_PASSWORD secret."
+          }
+
+          New-Item -ItemType Directory -Force -Path certificate | Out-Null
+          Set-Content -Path certificate/tempCert.txt -Value $env:WINDOWS_CERTIFICATE
+          certutil -decode certificate/tempCert.txt certificate/certificate.pfx
+
+          $securePassword = ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -AsPlainText -Force
+          $importedCertificates = Import-PfxCertificate `
+            -FilePath certificate/certificate.pfx `
+            -CertStoreLocation Cert:\CurrentUser\My `
+            -Password $securePassword
+
+          $signingCertificate = $importedCertificates |
+            Where-Object { $_.HasPrivateKey } |
+            Select-Object -First 1
+
+          if (-not $signingCertificate) {
+            throw "Failed to import a Windows signing certificate with a private key."
+          }
+
+          "WINDOWS_CERTIFICATE_THUMBPRINT=$($signingCertificate.Thumbprint)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          "WINDOWS_DIGEST_ALGORITHM=sha256" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_TIMESTAMP_URL)) {
+            "WINDOWS_TIMESTAMP_URL=http://time.certum.pl/" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          } else {
+            "WINDOWS_TIMESTAMP_URL=$($env:WINDOWS_TIMESTAMP_URL)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          }
+
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_TIMESTAMP_USE_TSP)) {
+            "WINDOWS_TIMESTAMP_USE_TSP=false" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          } else {
+            "WINDOWS_TIMESTAMP_USE_TSP=$($env:WINDOWS_TIMESTAMP_USE_TSP)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          }
+
+          Remove-Item -Recurse -Force certificate
+
+      - name: Prepare Tauri Windows signing (Windows only)
+        if: matrix.os == 'windows'
+        run: node scripts/windows/prepare-tauri-signing.mjs
+
       - uses: tauri-apps/tauri-action@v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/docs/contributing.mdx b/docs/contributing.mdx
@@ -129,6 +129,13 @@ The release workflow automatically:
 - Creates GitHub release
 - Uploads installers and binaries
 
+For signed Windows releases, add these GitHub Actions secrets before tagging a release:
+
+- `WINDOWS_CERTIFICATE`: Base64-encoded `.pfx` certificate bundle
+- `WINDOWS_CERTIFICATE_PASSWORD`: Password for the `.pfx` bundle
+- `WINDOWS_TIMESTAMP_URL`: Optional override for the timestamp server
+- `WINDOWS_TIMESTAMP_USE_TSP`: Optional `true` or `false` for RFC 3161 / TSP timestamps
+
 ### Versioning
 
 We use semantic versioning: `MAJOR.MINOR.PATCH`.

diff --git a/scripts/windows/prepare-tauri-signing.mjs b/scripts/windows/prepare-tauri-signing.mjs
@@ -0,0 +1,28 @@
+import { readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+const tauriConfigPath = resolve(process.cwd(), "src-tauri/tauri.conf.json");
+
+const certificateThumbprint = process.env.WINDOWS_CERTIFICATE_THUMBPRINT?.trim();
+const timestampUrl = process.env.WINDOWS_TIMESTAMP_URL?.trim() || "http://time.certum.pl/";
+const digestAlgorithm = process.env.WINDOWS_DIGEST_ALGORITHM?.trim() || "sha256";
+const useTsp = process.env.WINDOWS_TIMESTAMP_USE_TSP?.trim().toLowerCase() === "true";
+
+if (!certificateThumbprint) {
+  throw new Error("WINDOWS_CERTIFICATE_THUMBPRINT is required to prepare Tauri Windows signing.");
+}
+
+const tauriConfig = JSON.parse(readFileSync(tauriConfigPath, "utf8"));
+tauriConfig.bundle ??= {};
+tauriConfig.bundle.windows ??= {};
+tauriConfig.bundle.windows.certificateThumbprint = certificateThumbprint;
+tauriConfig.bundle.windows.digestAlgorithm = digestAlgorithm;
+tauriConfig.bundle.windows.timestampUrl = timestampUrl;
+tauriConfig.bundle.windows.tsp = useTsp;
+
+writeFileSync(tauriConfigPath, `${JSON.stringify(tauriConfig, null, 2)}\n`);
+
+const maskedThumbprint = `${certificateThumbprint.slice(0, 8)}...${certificateThumbprint.slice(-6)}`;
+console.log(`Prepared Windows signing for thumbprint ${maskedThumbprint}`);
+console.log(`Timestamp URL: ${timestampUrl}`);
+console.log(`TSP enabled: ${useTsp}`);