Skip to content
Docs

Windows

Taurify ships a Windows installer that can be signed.

Codesign

You can sign the Windows executables by providing an Azure Key Vault certificate and credentials.

  1. Key Vault

In the Azure Portal navigate to the Key vaults service to create a new key vault by clicking the “Create” button. The “Key vault name” must be set to the AZURE_VAULT_NAME environment variable.

  1. Certificate

After creating a key vault, select it and go to the “Objects > Certificates” page to create a new certificate and click the “Generate/Import” button. The “Certificate name” must be set to the AZURE_CERTIFICATE_NAME environment variable.

  1. Credentials

The Taurify server must authenticate with Azure in order to load the certificate. In the Azure portal landing page, go to the “Microsoft Entra ID” service and head to the “Manage > App registrations” page. Click “New registration” to create a new app. After creating the app, you are redirected to the application details page where you can see the “Application (client) ID” and “Directory (tenant) ID” values. Set these IDs to the AZURE_VAULT_ID and AZURE_TENANT_ID environment variables respectively.

In the “Manage > Certificates & secrets” page click the “New client secret” button and set the text in the “Value” column as the AZURE_CLIENT_SECRET environment variable.

After setting up all the credentials, head back to your key vault’s page and navigate to the “Access control (IAM)” page. You must assign the “Key Vault Certificate User” and “Key Vault Crypto User” roles to your newly created application.

After setting up all these variables, running taurify build will produce signed Windows installers!