huanld/openscreen
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases 2 Wiki Activity
Files
69804c41c7d279136a4c78d05d80ce5c2cb758a4
openscreen/docs/engineering/windows-private-trust-signing.md
T
huanld 69804c41c7 Release OpenScreen 1.4.1
2026-05-28 08:52:11 +07:00

85 lines
2.5 KiB
Markdown
Raw Blame History

# Windows Private Trust Signing
OpenScreen supports Microsoft Trusted Signing private trust profiles for Windows
builds. Secrets and signing resource names are read from environment variables;
no certificate, client secret, or API key should be committed.
For a local signing machine, copy `.env.signing.example` to
`.env.signing.local` and fill in values there. `.env.signing.local` is ignored
by Git. Explicit shell environment variables override values in that local file.
## Required Azure Resource Variables
Set these values for the Trusted Signing account and certificate profile:
```powershell
$env:AZURE_TRUSTED_SIGNING_ENDPOINT = "https://<region>.codesigning.azure.net/"
$env:AZURE_TRUSTED_SIGNING_ACCOUNT_NAME = "<trusted-signing-account-name>"
$env:AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME = "<private-trust-profile-name>"
$env:AZURE_TRUSTED_SIGNING_PUBLISHER_NAME = "<certificate-common-name>"
```
`AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME` must point to a certificate
profile created with the `PrivateTrust` profile type.
## Required Azure Auth Variables
Electron Builder uses Azure environment credentials. Set the tenant and client:
```powershell
$env:AZURE_TENANT_ID = "<tenant-id>"
$env:AZURE_CLIENT_ID = "<app-registration-client-id>"
```
Then set one authentication mode. Service principal secret is the simplest for
local signing:
```powershell
$env:AZURE_CLIENT_SECRET = "<client-secret>"
```
Certificate auth is also supported:
```powershell
$env:AZURE_CLIENT_CERTIFICATE_PATH = "C:\secure\signing-auth.pfx"
$env:AZURE_CLIENT_CERTIFICATE_PASSWORD = "<pfx-password>"
```
## Sign Existing Installer
This signs the installer already built at
`release/<version>/Openscreen Setup <version>.exe`:
```powershell
npm run sign:win:private-trust
```
To sign a specific file:
```powershell
npm run sign:win:private-trust -- --file "D:\Code\OpenScreen\release\1.4.0\Openscreen Setup 1.4.0.exe"
```
## Build And Sign
This signs the packaged app executable, bundled OCR service executable, and NSIS
installer during the Windows build:
```powershell
npm run build:win:private-trust
```
The regular `npm run build:win` remains unsigned for local development builds.
## Verification
After signing:
```powershell
Get-AuthenticodeSignature "release\1.4.0\Openscreen Setup 1.4.0.exe" | Format-List
```
Private trust signatures are valid only on machines that trust the private trust
certificate chain/publisher. For public downloads that must be trusted on any
Windows machine, use a public trust certificate profile instead.
Reference in New Issue View Git Blame Copy Permalink