Tauri 应用打包与签名完整指南(含 GitHub Actions 自动化配置)
本指南包含了从证书导出到 GitHub Actions 自动打包签名发布的完整流程,适用于 macOS 平台。
导出 macOS 签名证书为 Base64
为了在 CI 环境中签名你的 Tauri 应用,需要将 macOS 签名证书导出并转为 Base64 以便通过 GitHub Secrets 传入。
步骤:
- 打开“钥匙串访问”;
- 找到你的开发证书(如
Apple Development: yourname (TEAMID)); - 右键 → 导出,格式选择
.p12; - 使用以下命令将证书转为 Base64:
openssl base64 -in your-certificate.p12 -out cert.txt
- 将
cert.txt中的内容复制,存入 GitHub Secrets:APPLE_CERTIFICATE:Base64 字符串APPLE_CERTIFICATE_PASSWORD:导出.p12时设置的密码
创建github workflows
your-project/
├── src-tauri/
│ ├── tauri.conf.json
│ ├── entitlements.plist
├── .github/
│ └── workflows/
│ └── release.yml
配置 entitlements.plist
entitlements.plist 用于配置你的 macOS 应用权限(例如网络、文件访问等),根据实际情况来选择配置。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
</dict>
</plist>
并在 tauri.conf.json 中配置:
"macOS": {
"entitlements": "src-tauri/entitlements.plist",
"exceptionDomain": "*"
}
GitHub Actions 自动打包签名配置
修改.github/workflows/release.yml 配置如下:
name: Release
on:
push:
tags:
- 'v*'
workflow_dispatch:
jobs:
release:
permissions:
contents: write
strategy:
fail-fast: false
matrix:
platform: [macos-latest, ubuntu-24.04, windows-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install dependencies (ubuntu only)
if: matrix.platform == 'ubuntu-24.04'
run: |
sudo apt-get update
sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev libsoup2.4-dev libglib2.0-dev libgdk-pixbuf2.0-dev libcairo2-dev libpango1.0-dev libatk1.0-dev
- name: Rust setup
uses: dtolnay/rust-toolchain@stable
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
workspaces: './src-tauri -> target'
- name: Node.js Setup
uses: pnpm/action-setup@v4
with:
version: 9.15.9
- name: Install frontend dependencies
run: pnpm install
- name: Import macOS certificate (macos only)
if: matrix.platform == 'macos-latest'
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
echo "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12
security create-keychain -p "" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "" build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
- name: Build the app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tagName: ${{ github.ref_name }}
releaseName: 'github-actions-visual-editor v__VERSION__'
releaseBody: 'See the assets to download and install this version.'
releaseDraft: true
prerelease: false
name: Rust setup表示工作流里每一步的名称。
他们分别是:
- 拉取代码
name: Checkout repository - 如果是linux则安装linux需要的依赖
name: Install dependencies (ubuntu only) - 设置Rust环境
name: Rust setup - 设置rust缓存
name: Rust cache - 设置pnpm
name: Node.js Setup - 安装依赖
name: Install frontend dependencies - 如果是macos环境,则配置证书
name: Import macOS certificate (macos only) - 编译打包app
name: Build the app
前面几步都没有什么特别的,都是些常规的操作,name: Import macOS certificate (macos only)这步是专门用来配置苹果开发者证书的,需要搭配前面导出证书的输出来使用,打包出来的mac应用才可以在mac上正常打开,否则会提示不受信任的应用甚至直接无法打开。
name: Build the app使用tauri官方提供的tauri-apps/tauri-action@v0流水线工具,对项目进行打包并输出产物。releaseDraft会将产物输出到草稿箱中。
在项目首页点击右侧的Releases,进入Release,其中包含了未发布的草稿。
可以在这里下载安装包,然后进行测试。
测试通过后,点击编辑图标,就可以对发布内容进行编辑并打上tag。
本项目代码托管在:github.com/cbtpro/gith…
