Tauri 2.x Desktop App Distribution — Code Signing, Auto-Updates, and Notarization for macOS/Windows

Date: 2026-03-19 Author: Deep Research Agent Tags: tauri, code-signing, notarization, auto-updates, distribution, desktop Products: Argus, Remindr Priority: High — directly supports Argus (GTM #1) and Remindr launch readiness

---

Executive Summary

Distributing Tauri 2.x desktop apps on macOS and Windows requires code signing, platform-specific notarization, and an auto-update mechanism. This report covers the full distribution pipeline: certificate acquisition, CI/CD signing workflows, installer formats, auto-update strategies, and distribution channels. Total annual cost for a solo developer: ~$229/year (Apple $99 + Azure Trusted Signing $120).

---

1. macOS Distribution

1.1 Code Signing Requirements

Apple requires all apps distributed outside the App Store to be both code signed and notarized. Without both, macOS Gatekeeper will either show scary warnings or refuse to open the app entirely.

Certificate type: Developer ID Application (for direct download distribution outside App Store).

Cost: $99/year Apple Developer Program membership. Certificates and unlimited notarizations are included — no per-app fees.

1.2 Certificate Setup

1. Enroll in Apple Developer Program ($99/year)
2. Create a “Developer ID Application” certificate in Certificates, Identifiers & Profiles
3. For CI/CD: export the certificate as .p12 and store as GitHub Actions secret
4. Set environment variables:
   • APPLE_CERTIFICATE — base64-encoded .p12 file
   • APPLE_CERTIFICATE_PASSWORD — certificate password
   • APPLE_SIGNING_IDENTITY — e.g., “Developer ID Application: Moklabs (TEAMID)“

1.3 Notarization Setup

Tauri 2.x bundler handles notarization automatically when environment variables are set. Two authentication methods:

Recommended: App Store Connect API key (headless, works in CI)

• APPLE_API_ISSUER — API key issuer ID
• APPLE_API_KEY — API key ID
• APPLE_API_KEY_PATH — path to .p8 key file

Alternative: Apple ID (simpler but may require 2FA handling)

• APPLE_ID — Apple ID email
• APPLE_PASSWORD — app-specific password
• APPLE_TEAM_ID — team identifier

1.4 Installer Formats

Format	Use Case	Notes
.dmg	Direct download	Standard macOS distribution, drag-to-Applications
.app bundle	Inside DMG or Homebrew	The actual application bundle
App Store	Wide distribution	Requires “Apple Distribution” cert + App Store review

Recommendation for Argus/Remindr: DMG for direct download + Homebrew tap for developer audience.

1.5 Homebrew Distribution

1. Create a GitHub repo named homebrew-moklabs
2. Add a Cask formula pointing to the DMG download URL
3. CI automatically updates the formula on each release tag
4. Users install via brew install --cask moklabs/moklabs/argus
5. Homebrew strips the quarantine attribute automatically — smoother UX

Path to Homebrew Core: Start with a tap, submit to homebrew-cask once the app has traction and meets inclusion criteria.

---

2. Windows Distribution

2.1 Code Signing Requirements

Windows SmartScreen uses reputation-based trust. Without code signing, users see “Windows protected your PC” warnings that dramatically reduce install rates.

Certificate types:

Type	SmartScreen	Cost	Availability
EV (Extended Validation)	Immediate trust	$300-500/year	Organizations only, hardware token required
OV (Organization Validation)	Builds trust over time	$200-400/year	Organizations, must be on HSM since June 2023
Azure Trusted Signing	Immediate trust	$9.99/month ($120/year)	US/Canada businesses with 3+ years history

2.2 Azure Trusted Signing (Recommended)

The most cost-effective option for indie developers and small teams. Now called Azure Artifact Signing.

Pricing: $9.99/month for 5,000 signatures (Basic tier). More than enough for a small team.

Restriction (2026): Currently limited to US/Canadian businesses with 3+ years history. For others, use traditional OV/EV certificates via providers like DigiCert, Sectigo, or SSL.com.

Alternative: Azure Key Vault + relic

• Store an OV/EV cert in Azure Key Vault (cloud HSM)
• Use relic (open-source) to sign from CI
• Works with any certificate provider

2.3 Signing in CI/CD

For Azure Trusted Signing with GitHub Actions:

env:
  AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
  AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
  AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}

For custom signing tools, use bundle > windows > signCommand in tauri.conf.json:

{
  "bundle": {
    "windows": {
      "signCommand": "trusted-signing-cli sign -f %1"
    }
  }
}

2.4 Installer Formats

Tauri 2.x generates both:

Format	Path	Notes
NSIS (-setup.exe)	target/release/bundle/nsis/	Recommended: modern, customizable, supports Windows 7+
MSI	target/release/bundle/msi/	Enterprise-friendly, WiX Toolset v3, silent install support

WebView2 strategy:

• Default: downloads bootstrapper at install time (~1.8MB overhead)
• embedBootstrapper: bundles bootstrapper (adds ~1.8MB, better offline)
• offlineInstaller: bundles full runtime (adds ~127MB, full offline)

Recommendation: Use NSIS with embedBootstrapper for Argus/Remindr. MSI for enterprise customers later.

---

3. Auto-Update System

3.1 Tauri Updater Plugin

The @tauri-apps/plugin-updater provides built-in auto-update with cryptographic signature verification (mandatory, cannot be disabled).

Two modes:

1. Static JSON file — host a latest.json on GitHub Gist, S3, or any CDN
2. Dynamic update server — custom endpoint returning update instructions

3.2 Static JSON Pattern (Simplest)

Host a latest.json file that the app checks periodically:

{
  "version": "1.2.0",
  "notes": "Bug fixes and performance improvements",
  "pub_date": "2026-03-19T12:00:00Z",
  "platforms": {
    "darwin-aarch64": {
      "signature": "...",
      "url": "https://github.com/moklabs/argus/releases/download/v1.2.0/Argus_1.2.0_aarch64.app.tar.gz"
    },
    "darwin-x86_64": {
      "signature": "...",
      "url": "https://github.com/moklabs/argus/releases/download/v1.2.0/Argus_1.2.0_x64.app.tar.gz"
    },
    "windows-x86_64": {
      "signature": "...",
      "url": "https://github.com/moklabs/argus/releases/download/v1.2.0/Argus_1.2.0_x64-setup.nsis.zip"
    }
  }
}

3.3 Update Key Generation

# Generate update signing keys
cargo install tauri-cli
cargo tauri signer generate -w ~/.tauri/myapp.key

Set in CI:

• TAURI_SIGNING_PRIVATE_KEY — the private key
• TAURI_SIGNING_PRIVATE_KEY_PASSWORD — key password

3.4 Background Update Check Pattern

// Check every 5 minutes in background
tauri::async_runtime::spawn(async move {
    loop {
        if let Ok(update) = updater.check().await {
            if update.is_available() {
                update.download_and_install().await.ok();
            }
        }
        tokio::time::sleep(Duration::from_secs(300)).await;
    }
});

3.5 CrabNebula Cloud (Managed Alternative)

Official Tauri partner offering managed distribution + CDN + auto-updates:

• Global CDN for installers and updates
• Download metrics and analytics
• Seamless integration with Tauri updater plugin
• Pricing: not publicly listed — contact sales

Recommendation: Start with GitHub Releases + static JSON. Evaluate CrabNebula Cloud once download volume justifies it.

---

4. CI/CD Pipeline (GitHub Actions)

4.1 Reference Workflow

Using tauri-apps/tauri-action@v0, a single workflow builds for all platforms:

Platform	Runner	Artifacts
macOS x64	macos-13	.dmg, .app.tar.gz
macOS ARM64	macos-14 (M1)	.dmg, .app.tar.gz
Windows x64	windows-latest	-setup.exe, .msi
Linux x64	ubuntu-22.04	.deb, .AppImage
Linux ARM64	self-hosted or cross-compile	.deb, .AppImage

4.2 Workflow Structure

name: Release
on:
  push:
    tags: ['v*']

jobs:
  build:
    strategy:
      matrix:
        include:
          - os: macos-14
            target: aarch64-apple-darwin
          - os: macos-13
            target: x86_64-apple-darwin
          - os: windows-latest
            target: x86_64-pc-windows-msvc
          - os: ubuntu-22.04
            target: x86_64-unknown-linux-gnu
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: swatinem/rust-cache@v2
      - run: pnpm install
      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # macOS signing
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
          APPLE_API_KEY_PATH: ${{ secrets.APPLE_API_KEY_PATH }}
          # Windows signing
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
          # Update signing
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
        with:
          tagName: v__VERSION__
          releaseName: 'v__VERSION__'
          releaseBody: 'See the assets to download and install this version.'
          releaseDraft: true
          prerelease: false

4.3 Post-Build: Update Homebrew Tap

Add a job that triggers after all builds complete:

  update-homebrew:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          repository: moklabs/homebrew-moklabs
          token: ${{ secrets.HOMEBREW_TOKEN }}
      - run: |
          # Update cask formula with new version and SHA256
          ./update-cask.sh ${{ github.ref_name }}
          git commit -am "Update to ${{ github.ref_name }}"
          git push

---

5. Distribution Strategy for Privacy-First Apps

5.1 Privacy-First Principles

For Argus and Remindr (both privacy-first, local-first apps):

1. No telemetry in the app — zero analytics, no usage tracking
2. No forced updates — user controls when to update
3. Transparent update process — show changelog before installing
4. No account required — download and use immediately
5. Offline-capable installer — embed WebView2 bootstrapper

5.2 Recommended Distribution Channels

Channel	Priority	Audience	Setup Effort
GitHub Releases	P0	Developers, early adopters	Low (tauri-action handles it)
Product website	P0	General users	Medium (landing page + download links)
Homebrew tap	P1	macOS developers	Low (automated via CI)
Microsoft Store	P2	Windows mainstream	Medium (submission + review)
Mac App Store	P3	macOS mainstream	High (sandboxing + review)

5.3 Privacy Messaging in Distribution

• Landing page should emphasize “runs entirely on your device”
• Include “no account, no telemetry, no cloud” in installer description
• Link to privacy policy that confirms zero data collection
• Consider including a “verify our claims” section with links to source code

---

6. Cost Summary

Item	Cost	Frequency	Notes
Apple Developer Program	$99	Annual	Covers signing + notarization
Azure Trusted Signing (Basic)	$9.99/mo ($120/yr)	Monthly	5,000 signs/mo, SmartScreen trust
GitHub Actions	Free	—	Public repos; private repos have 2,000 min/mo free
CrabNebula Cloud	TBD	—	Optional managed CDN + updates
Total minimum	~$219/year		Apple + Azure

Alternative if Azure Trusted Signing is unavailable (non-US/CA):

• OV Certificate via SSL.com or Sectigo: $200-400/year
• Store on Azure Key Vault ($0.03/operation) + sign with relic
• Total: $300-500/year

---

7. Recommendations for Moklabs

7.1 Immediate Actions (Pre-Launch)

1. Enroll in Apple Developer Program ($99) — needed for both Argus and Remindr
2. Set up Azure Trusted Signing or acquire OV certificate for Windows signing
3. Generate Tauri update signing keys and store in GitHub Secrets
4. Create moklabs/homebrew-moklabs repository for Homebrew tap
5. Implement GitHub Actions release workflow using tauri-action (template in Section 4.2)

7.2 Argus-Specific (GTM #1)

• Start with DMG (macOS) + NSIS (Windows) + GitHub Releases
• Add Homebrew tap for developer audience
• Auto-updates via static JSON on GitHub (free, reliable)
• Landing page download buttons pointing to GitHub Releases

7.3 Remindr-Specific

• Same pipeline as Argus (shared CI templates)
• Consider Mac App Store submission later (better discoverability for consumer app)
• WebView2 embedBootstrapper mode for Windows (privacy-first = minimize network calls during install)

7.4 Shared Infrastructure

• Both apps can share:
  • Apple Developer account (same team)
  • Azure signing service
  • homebrew-moklabs tap (multiple casks)
  • CI workflow templates (reusable GitHub Actions)
  • Update signing keys (per-app, but same process)

---

Sources

• Tauri v2 macOS Code Signing
• Tauri v2 Windows Code Signing
• Tauri v2 Updater Plugin
• Tauri v2 Distribution Overview
• Tauri v2 GitHub Actions Pipeline
• Tauri v2 Windows Installer
• Ship Tauri v2 Like a Pro: Code Signing (Part 1)
• Ship Tauri v2 Like a Pro: GitHub Actions (Part 2)
• Shipping Production macOS App with Tauri 2.0
• Azure Trusted Signing Pricing
• CrabNebula Cloud + Tauri Auto-Updates
• Tauri Auto-Update Distribution Guide (Oflight)
• Apple Developer Program
• Code Signing on Windows with Azure Trusted Signing