OpenSecretCloud
diff --git a/‎docs/windows-certificate-setup.md‎
Lines changed: 299 additions & 0 deletions b/‎docs/windows-certificate-setup.md‎
Lines changed: 299 additions & 0 deletions
@@ -0,0 +1,299 @@
+# Windows Code Signing Certificate Setup Options
+
+This document covers the three recommended options for signing Windows builds of Maple for distribution.
+
+## Quick Comparison
+
+| Option | Cost | Approval Time | Publisher Name | CI/CD Integration | Best For |
+|--------|------|---------------|----------------|-------------------|----------|
+| Azure Individual | ~$10/month | 1-3 days | Your personal name | OIDC (keyless) | Immediate start, indie apps |
+| Azure Organization | ~$10/month | 1-3 days | Legal business name | OIDC (keyless) | Established companies (3+ years) |
+| SSL.com eSigner | ~$239-499/year | 1-5 days | Business or personal | TOTP secrets | Backup option, flexible requirements |
+
+---
+
+## Option 1: Azure Trusted Signing - Individual Validation
+
+**Best for:** Starting immediately without business history requirements.
+
+**Publisher shown:** "Published by: [Your Legal Name]"
+
+### Prerequisites
+- Azure account with Pay-As-You-Go subscription
+- Government-issued photo ID (passport or driver's license)
+- Microsoft Authenticator app on mobile device
+- US or Canada residency
+
+### Setup Steps
+
+#### 1. Create Azure Account
+```
+https://portal.azure.com
+```
+- Sign up for Pay-As-You-Go subscription if you don't have one
+- No upfront costs - billed monthly based on usage
+
+#### 2. Register the Resource Provider
+1. Go to Azure Portal → Subscriptions → [Your Subscription]
+2. Left sidebar → Settings → Resource providers
+3. Search for `Microsoft.CodeSigning`
+4. Click "Register" and wait for status to show "Registered"
+
+#### 3. Create Trusted Signing Account
+1. Search for "Trusted Signing" in Azure Portal
+2. Click "Create"
+3. Select your subscription and resource group
+4. Choose a region (e.g., "West US" → endpoint: `https://wus.codesigning.azure.net`)
+5. Choose "Basic" SKU ($9.99/month)
+6. Create the resource
+
+#### 4. Complete Identity Validation
+1. In your Trusted Signing resource → "Identity validation"
+2. Select "Individual"
+3. Follow the prompts:
+   - Upload government-issued photo ID
+   - Complete biometric/liveness check via Microsoft Authenticator
+   - Provide current address (utility bill if ID address differs)
+4. Wait 1-3 business days for approval
+
+#### 5. Create Certificate Profile
+1. After identity validation completes → "Certificate profiles"
+2. Click "Add"
+3. Select "Public Trust" (required for public distribution)
+4. Enter profile name (e.g., "maple-signing")
+5. The certificate will be generated on-demand during signing
+
+#### 6. Create App Registration for CI/CD
+1. Go to Azure Entra ID (Azure Active Directory)
+2. App registrations → New registration
+3. Name: "GitHub Actions - Maple Signing"
+4. Leave defaults, click Register
+5. Note the **Application (client) ID** and **Directory (tenant) ID**
+
+#### 7. Configure Federated Credentials (OIDC)
+1. In your App Registration → Certificates & secrets
+2. Federated credentials → Add credential
+3. Select "GitHub Actions deploying Azure resources"
+4. Configure:
+   - Organization: `OpenSecretCloud`
+   - Repository: `Maple`
+   - Entity type: `Branch` (for `master`) or `Tag` (for releases)
+   - Name: "github-actions-release"
+5. Add another for tags if needed: Entity type `Tag`, value `v*`
+
+#### 8. Assign Signing Role
+1. Go to your Trusted Signing Account resource
+2. Access control (IAM) → Add role assignment
+3. Role: "Trusted Signing Certificate Profile Signer"
+4. Members: Select your App Registration service principal
+5. Review + assign
+
+### GitHub Secrets Required
+```
+AZURE_CLIENT_ID        = [App Registration Client ID]
+AZURE_TENANT_ID        = [Directory/Tenant ID]
+AZURE_SUBSCRIPTION_ID  = [Your Azure Subscription ID]
+AZURE_ENDPOINT         = https://wus.codesigning.azure.net (or your region)
+AZURE_ACCOUNT          = [Trusted Signing Account name]
+AZURE_PROFILE          = [Certificate Profile name]
+```
+
+---
+
+## Option 2: Azure Trusted Signing - Organization Validation
+
+**Best for:** Companies with 3+ years of verifiable history wanting professional branding.
+
+**Publisher shown:** "Published by: [Your Legal Business Name]"
+
+### Prerequisites
+- Everything from Individual Validation, plus:
+- US or Canada registered business entity
+- **3+ years of verifiable business history** (tax filings, business registration)
+- D-U-N-S number (recommended - speeds up verification)
+
+### Setup Steps
+
+Same as Individual Validation except:
+
+#### 4. Complete Identity Validation (Organization)
+1. In your Trusted Signing resource → "Identity validation"
+2. Select "Organization" (not Individual)
+3. Provide:
+   - Legal business name (exactly as registered)
+   - Business address
+   - EIN or business registration number
+   - D-U-N-S number (if available)
+   - Primary contact information
+4. Microsoft will verify against public business records
+5. Wait 1-3 business days (may take longer without D-U-N-S)
+
+### If Rejected
+- Most common reason: Business history less than 3 years
+- Alternative: Use Individual Validation instead
+- You can switch to Organization later when you qualify
+
+---
+
+## Option 3: SSL.com eSigner (Backup Option)
+
+**Best for:** Those who can't use Azure, or need more flexible business verification.
+
+**Publisher shown:** Business name or personal name (depending on cert type)
+
+### Pricing
+- OV Code Signing: ~$239/year (basic)
+- EV Code Signing: ~$499/year (extended validation)
+- eSigner service included or add-on depending on plan
+
+### Prerequisites
+- Credit card for payment
+- Government-issued ID
+- For OV/EV: Business registration documents, domain ownership
+
+### Setup Steps
+
+#### 1. Purchase Certificate
+1. Go to https://www.ssl.com/certificates/code-signing/
+2. Select "Code Signing" (OV) or "EV Code Signing"
+3. Choose certificate term (1-3 years)
+4. During checkout, select "eSigner" for cloud signing (required for CI/CD)
+
+#### 2. Complete Validation
+- **Individual/OV:** Government ID, phone verification
+- **Business/EV:** Business documents, callback verification, may require lawyer letter if under 3 years
+
+#### 3. Set Up eSigner
+1. After validation, access SSL.com dashboard
+2. Go to eSigner settings
+3. Generate TOTP secret (for 2FA in CI/CD)
+4. Note your credential ID
+
+#### 4. Configure GitHub Secrets
+```
+ES_USERNAME     = [SSL.com account email]
+ES_PASSWORD     = [SSL.com account password]
+CREDENTIAL_ID   = [eSigner credential ID]
+ES_TOTP_SECRET  = [TOTP secret for automated 2FA]
+```
+
+### GitHub Actions Integration
+```yaml
+- name: Sign with SSL.com eSigner
+  uses: sslcom/esigner-codesign@develop
+  with:
+    command: sign
+    username: ${{ secrets.ES_USERNAME }}
+    password: ${{ secrets.ES_PASSWORD }}
+    credential_id: ${{ secrets.CREDENTIAL_ID }}
+    totp_secret: ${{ secrets.ES_TOTP_SECRET }}
+    file_path: frontend/src-tauri/target/release/bundle/nsis/*.exe
+    override: true
+```
+
+### Pros/Cons vs Azure
+**Pros:**
+- More flexible validation requirements
+- EV certificates available (though less relevant post-2024)
+- Works internationally
+
+**Cons:**
+- More expensive (~$239-499/year vs ~$120/year)
+- Uses secrets instead of OIDC (less secure)
+- Slightly more complex CI/CD setup
+
+---
+
+## GitHub Actions Workflow Snippet (Azure)
+
+Add this to your release workflow for Windows builds:
+
+```yaml
+build-windows:
+  runs-on: windows-latest
+  permissions:
+    id-token: write  # Required for OIDC
+    contents: write
+  
+  steps:
+    - uses: actions/checkout@v4
+    
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v1
+      with:
+        bun-version: 1.2.2
+    
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        targets: x86_64-pc-windows-msvc
+    
+    - name: Azure Login (OIDC)
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+    
+    - name: Install Azure Signing Tool
+      shell: powershell
+      run: dotnet tool install --global Azure.CodeSigning.Tool
+    
+    - name: Create Signing Script
+      shell: powershell
+      run: |
+        $script = @"
+        param([string]`$file)
+        & acs tool sign -v ``
+          -u "${{ secrets.AZURE_ENDPOINT }}" ``
+          -a "${{ secrets.AZURE_ACCOUNT }}" ``
+          -p "${{ secrets.AZURE_PROFILE }}" ``
+          -i `$file
+        "@
+        Set-Content -Path ".\filesign.ps1" -Value $script
+        echo "$PWD" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+    
+    - name: Install frontend dependencies
+      working-directory: ./frontend
+      run: bun install
+    
+    - name: Build Tauri App
+      uses: tauri-apps/tauri-action@v0
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+        TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+        VITE_OPEN_SECRET_API_URL: https://enclave.trymaple.ai
+        VITE_MAPLE_BILLING_API_URL: https://billing.opensecret.cloud
+        VITE_CLIENT_ID: ba5a14b5-d915-47b1-b7b1-afda52bc5fc6
+      with:
+        projectPath: './frontend'
+        tagName: ${{ github.ref_name }}
+        releaseName: 'Maple v${{ github.ref_name }}'
+        args: --bundles nsis
+```
+
+Note: The `signCommand` in `tauri.conf.json` must be configured to call the signing script. See the Windows implementation guide for full details.
+
+---
+
+## Recommendation Summary
+
+1. **If you need to ship immediately:** Azure Individual Validation
+2. **If you can wait 3 weeks and have 3+ years business history:** Azure Organization Validation  
+3. **If Azure doesn't work out:** SSL.com eSigner as backup
+
+All three options provide full CI/CD automation with no hardware tokens required.
+
+---
+
+## Next Steps After Certificate Setup
+
+Once your certificate is ready:
+1. Add Windows to your GitHub Actions workflow
+2. Configure `tauri.conf.json` with WebView2 and NSIS settings
+3. Update `build.rs` for Windows manifest (DPI awareness)
+4. Update `latest.json` generation to include Windows platform
+5. Test the full build and signing pipeline
+
+See `docs/windows-research.md` for complete implementation details.