This document explains how to set up code signing for DB Hive across different platforms.
AppImage packages can be signed using GPG to allow users to verify the authenticity of the downloaded file.
Install GPG if not already installed:
# Ubuntu/Debian
sudo apt install gnupg
# Fedora
sudo dnf install gnupgGenerate a new GPG key for signing:
gpg --full-gen-keyFollow the prompts:
- Choose RSA and RSA (default)
- Key size: 4096 bits (recommended for signing)
- Expiration: Choose based on your needs (e.g., 2 years)
- Real name: DB Hive Release (or your organization name)
- Email: Use your official email
- Comment: Code Signing Key (optional)
gpg --list-secret-keys --keyid-format LONGOutput example:
/home/user/.gnupg/pubring.kbx
------------------------------------
sec rsa4096/ABCD1234EFGH5678 2025-11-19 [SC]
1234567890ABCDEF1234567890ABCDEF12345678
uid [ultimate] DB Hive Release <release@example.com>
ssb rsa4096/WXYZ9876STUV4321 2025-11-19 [E]
The key ID is ABCD1234EFGH5678 (after rsa4096/).
Export the public key for distribution:
gpg --armor --export ABCD1234EFGH5678 > db-hive-public-key.ascImportant: Publish this public key on your website, GitHub releases, or keyserver so users can verify signatures.
To sign the AppImage during local builds:
# Set environment variables
export SIGN=1
export SIGN_KEY=ABCD1234EFGH5678
export APPIMAGETOOL_SIGN_PASSPHRASE="your-gpg-passphrase"
export APPIMAGETOOL_FORCE_SIGN=1 # Exit on signing errors
# Build with signing
npm run tauri buildUsers can verify the signature using the AppImage validate tool:
- Download validate tool:
wget https://github.com/AppImageCommunity/AppImageUpdate/releases/download/continuous/validate-x86_64.AppImage
chmod +x validate-x86_64.AppImage- Import your public key:
gpg --import db-hive-public-key.asc- Validate the AppImage:
./validate-x86_64.AppImage db-hive_0.1.0_amd64.AppImageExpected output:
Validation result: validation successful
Signatures found with key fingerprints: ABCD1234EFGH5678
To sign AppImages in GitHub Actions:
- Export your private key:
gpg --armor --export-secret-keys ABCD1234EFGH5678 > private-key.asc-
Add to GitHub Secrets:
- Go to repository Settings → Secrets and variables → Actions
- Add secrets:
GPG_PRIVATE_KEY: Content ofprivate-key.ascGPG_PASSPHRASE: Your GPG key passphraseGPG_KEY_ID: Your key ID (e.g.,ABCD1234EFGH5678)
-
Update workflow (already configured in
.github/workflows/release.yml):
- name: Import GPG key
if: matrix.platform == 'ubuntu-22.04'
run: |
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import
- name: Build and release Tauri app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SIGN: 1
SIGN_KEY: ${{ secrets.GPG_KEY_ID }}
APPIMAGETOOL_SIGN_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
APPIMAGETOOL_FORCE_SIGN: 1Security Note: Delete private-key.asc after adding to GitHub Secrets!
macOS code signing requires an Apple Developer account and certificates.
- Join Apple Developer Program ($99/year)
- Create Developer ID Certificate in Xcode or developer portal
- Set up in Xcode:
- Xcode → Settings → Accounts
- Add your Apple ID
- Download certificates
See official Tauri documentation:
You'll need to:
- Export your certificate and private key as
.p12 - Add to GitHub Secrets:
APPLE_CERTIFICATE: Base64-encoded.p12fileAPPLE_CERTIFICATE_PASSWORD: Certificate passwordAPPLE_ID: Your Apple ID emailAPPLE_PASSWORD: App-specific passwordAPPLE_TEAM_ID: Your team ID
Windows code signing requires a code signing certificate from a trusted Certificate Authority.
-
Extended Validation (EV) Certificate (Recommended)
- No SmartScreen warnings for new apps
- USB token required
- Cost: ~$300-$500/year
-
Standard Code Signing Certificate
- May trigger SmartScreen initially
- Build reputation over time
- Cost: ~$100-$200/year
- DigiCert
- Sectigo (formerly Comodo)
- SSL.com
See official Tauri documentation:
You'll need to add GitHub Secrets:
WINDOWS_CERTIFICATE: Base64-encoded certificateWINDOWS_CERTIFICATE_PASSWORD: Certificate password
- Never commit private keys to version control
- Use strong passphrases for all keys
- Rotate keys periodically (every 1-2 years)
- Back up keys securely (encrypted external drive, password manager)
- Publish public keys on authenticated channels (HTTPS website, verified GitHub)
| Platform | Signing Method | Cost | Required For |
|---|---|---|---|
| Linux | GPG | Free | User trust (optional) |
| macOS | Apple Dev ID | $99/year | Notarization, Gatekeeper |
| Windows | Code Cert | $100-$500/year | SmartScreen trust |
- Linux: AppImage signed with GPG
- macOS: App signed and notarized with Developer ID
- Windows: Installer signed with code signing certificate
- Public keys/certificates published
- Release notes include verification instructions
- SHA256 checksums generated for all artifacts