Desktop Release Packaging Guide (Local, Reproducible)

This guide provides reproducible local packaging steps for both desktop variants:

full → World Monitor
tech → Tech Monitor

Variant identity is controlled by Tauri config:

full: src-tauri/tauri.conf.json
tech: src-tauri/tauri.tech.conf.json

Prerequisites

Node.js + npm
Rust toolchain
OS-native Tauri build prerequisites:
- macOS: Xcode command-line tools
- Windows: Visual Studio Build Tools + NSIS + WiX

Install dependencies (this also installs the pinned Tauri CLI used by desktop scripts):

npm ci

All desktop scripts call the local tauri binary from node_modules/.bin; no runtime npx package download is required after npm ci. If the local CLI is missing, scripts/desktop-package.mjs now fails fast with an explicit npm ci remediation message.

Network preflight and remediation

Before running desktop packaging in CI or managed networks, verify connectivity and proxy config:

npm ping
curl -I https://index.crates.io/
env | grep -E '^(HTTP_PROXY|HTTPS_PROXY|NO_PROXY)='

If these fail, use one of the supported remediations:

Internal npm mirror/proxy.
Internal Cargo sparse index/registry mirror.
Pre-vendored Rust crates (src-tauri/vendor/) + Cargo offline mode.
CI artifact/caching strategy that restores required package inputs before build.

See docs/TAURI_VALIDATION_REPORT.md for failure classification labels and troubleshooting flow.

Packaging commands

To view script usage/help:

npm run desktop:package -- --help

macOS (`.app` + `.dmg`)

npm run desktop:package:macos:full
npm run desktop:package:macos:tech
# or generic runner
npm run desktop:package -- --os macos --variant full

Windows (`.exe` + `.msi`)

npm run desktop:package:windows:full
npm run desktop:package:windows:tech
# or generic runner
npm run desktop:package -- --os windows --variant tech

Bundler targets are pinned in both Tauri configs and enforced by packaging scripts:

macOS: app,dmg
Windows: nsis,msi

Rust dependency modes (online vs restricted network)

From src-tauri/, the project supports two packaging paths:

1) Standard online build (default)

Use normal Cargo behavior (crates.io):

cd src-tauri
cargo generate-lockfile
cargo tauri build --config tauri.conf.json

2) Restricted-network build (pre-vendored or internal mirror)

An optional vendored source is defined in src-tauri/.cargo/config.toml. To use it, first prepare vendored crates on a machine that has registry access:

# from repository root
cargo vendor --manifest-path src-tauri/Cargo.toml src-tauri/vendor

Then enable offline mode using either method:

One-off CLI override (no file changes):

cd src-tauri
cargo generate-lockfile --offline --config 'source.crates-io.replace-with="vendored-sources"'
cargo tauri build --offline --config 'source.crates-io.replace-with="vendored-sources"' --config tauri.conf.json

Local override file (recommended for CI/repeatable offline jobs):

cp src-tauri/.cargo/config.local.toml.example src-tauri/.cargo/config.local.toml
cd src-tauri
cargo generate-lockfile --offline
cargo tauri build --offline --config tauri.conf.json

For CI or internal mirrors, publish src-tauri/vendor/ as an artifact and restore it before the restricted-network build. If your organization uses an internal crates mirror instead of vendoring, point source.crates-io.replace-with to that mirror in CI-specific Cargo config and run the same build commands.

Optional signing/notarization hooks

Unsigned packaging works by default. If signing credentials are present in environment variables, Tauri will sign/notarize automatically during the same packaging commands.

macOS Apple Developer signing + notarization

Set before packaging (Developer ID signature):

export TAURI_BUNDLE_MACOS_SIGNING_IDENTITY="Developer ID Application: Your Company (TEAMID)"
export TAURI_BUNDLE_MACOS_PROVIDER_SHORT_NAME="TEAMID"
# optional alternate key accepted by Tauri tooling:
export APPLE_SIGNING_IDENTITY="Developer ID Application: Your Company (TEAMID)"

For notarization, choose one auth method:

# Apple ID + app-specific password
export APPLE_ID="you@example.com"
export APPLE_PASSWORD="app-specific-password"
export APPLE_TEAM_ID="TEAMID"

# OR App Store Connect API key
export APPLE_API_KEY="ABC123DEFG"
export APPLE_API_ISSUER="00000000-0000-0000-0000-000000000000"
export APPLE_API_KEY_PATH="$HOME/.keys/AuthKey_ABC123DEFG.p8"

Then run either standard or explicit sign script aliases:

npm run desktop:package:macos:full
# or
npm run desktop:package:macos:full:sign

Windows Authenticode signing

Set before packaging (PowerShell):

$env:TAURI_BUNDLE_WINDOWS_CERTIFICATE_THUMBPRINT="<CERT_THUMBPRINT>"
$env:TAURI_BUNDLE_WINDOWS_TIMESTAMP_URL="https://timestamp.digicert.com"
# optional: if using cert file + password instead of cert store
$env:TAURI_BUNDLE_WINDOWS_CERTIFICATE="C:\path\to\codesign.pfx"
$env:TAURI_BUNDLE_WINDOWS_CERTIFICATE_PASSWORD="<PFX_PASSWORD>"

Then run either standard or explicit sign script aliases:

npm run desktop:package:windows:full
# or
npm run desktop:package:windows:full:sign

Variant-aware outputs (names/icons)

Full variant: World Monitor / world-monitor
Tech variant: Tech Monitor / tech-monitor

Distinct names are configured in Tauri:

src-tauri/tauri.conf.json → World Monitor / world-monitor
src-tauri/tauri.tech.conf.json → Tech Monitor / tech-monitor

If you want variant-specific icons, set bundle.icon separately in each config and point each variant to dedicated icon assets.

Output locations

Artifacts are produced under:

src-tauri/target/release/bundle/

Common subfolders:

app/ → macOS .app
dmg/ → macOS .dmg
nsis/ → Windows .exe installer
msi/ → Windows .msi installer

Release checklist (clean machine)

Build required OS + variant package(s).
Move artifacts to a clean machine (or fresh VM).
Install/launch:
- macOS: mount .dmg, drag app to Applications, launch.
- Windows: run .exe or .msi, launch from Start menu.
Validate startup:
- App window opens without crash.
- Map view renders.
- Initial data loading path does not fatal-error.
Validate variant identity:
- Window title and product name match expected variant.
If signing was enabled:
- Verify code-signing metadata in OS dialogs/properties.
- Verify notarization/Gatekeeper acceptance on macOS.

Getting Started

Platform & Features

Intelligence & Analysis

Map Layers

Finance

Desktop Application

Developer Guide

Legal

Desktop Release Packaging Guide (Local, Reproducible)

Prerequisites

Network preflight and remediation

Packaging commands

macOS (`.app` + `.dmg`)

Windows (`.exe` + `.msi`)

Rust dependency modes (online vs restricted network)

1) Standard online build (default)

2) Restricted-network build (pre-vendored or internal mirror)

Optional signing/notarization hooks

macOS Apple Developer signing + notarization

Windows Authenticode signing

Variant-aware outputs (names/icons)

Output locations

Release checklist (clean machine)

Getting Started

Platform & Features

Intelligence & Analysis

Map Layers

Finance

Desktop Application

Developer Guide

Legal

​Prerequisites

​Network preflight and remediation

​Packaging commands

​macOS (.app + .dmg)

​Windows (.exe + .msi)

​Rust dependency modes (online vs restricted network)

​1) Standard online build (default)

​2) Restricted-network build (pre-vendored or internal mirror)

​Optional signing/notarization hooks

​macOS Apple Developer signing + notarization

​Windows Authenticode signing

​Variant-aware outputs (names/icons)

​Output locations

​Release checklist (clean machine)

Prerequisites

Network preflight and remediation

Packaging commands

macOS (`.app` + `.dmg`)

Windows (`.exe` + `.msi`)

Rust dependency modes (online vs restricted network)

1) Standard online build (default)

2) Restricted-network build (pre-vendored or internal mirror)

Optional signing/notarization hooks

macOS Apple Developer signing + notarization

Windows Authenticode signing

Variant-aware outputs (names/icons)

Output locations

Release checklist (clean machine)