Phase 5C: sign updater bundles + commit Tauri pubkey#16
Open
wudi wants to merge 1 commit into
Open
Conversation
Closes the auto-updater loop opened in #15. Once this merges + a v0.1.2 release is tagged, installed v0.1.2 users start receiving signed updates automatically; v0.1.1 users have to manually grab v0.1.2 once (no working updater shipped in 0.1.1). src-tauri/tauri.conf.json - plugins.updater.pubkey populated with the minisign public key (the matching private key + password are in GitHub repo secrets TAURI_PRIVATE_KEY / TAURI_KEY_PASSWORD). - Pubkey is public-by-design (it ships in every client bundle anyway to verify downloads). .github/workflows/release.yml - Build Tauri bundle step picks up the signing env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} With these set, tauri-action emits *.app.tar.gz / *.AppImage.tar.gz / *.nsis.zip alongside the user-facing installers, each paired with a .sig file. - Collect & rename step copies the updater bundles into dist-release under the same `AnySpace-${VERSION}-${LABEL}.{ext}` naming the backend manifest endpoint expects, plus their matching .sig files via a small copy_sig helper. Helper skips silently if .sig is missing (build run without secrets → unsigned → no .sig → release silently has no updater artifacts), so the workflow can't fail solely on a secrets-not-set configuration mistake; the consequence shows up as the backend continuing to 204 every request. - dist-release/* is already what the GitHub Release + R2 upload steps glob over, so no further wiring needed downstream. backend/README.md - New "Release engineering — signed auto-updates (phase 5)" section documenting the two secrets, the pubkey-in-config relationship, and the rotation procedure. Verified: cargo check clean (tauri.conf.json embeds at compile time); yaml.safe_load passes on the workflow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the auto-updater loop opened in #15. Once this merges + a v0.1.2 release is tagged, installed v0.1.2 users start receiving signed updates automatically.
What this PR does
src-tauri/tauri.conf.jsonplugins.updater.pubkeypopulated with the minisign public key. The matching private key + password live in GitHub repo secrets that you (as the maintainer) added manually. The pubkey is public-by-design — it ships in every client bundle anyway, used to verify downloads..github/workflows/release.ymlTwo changes to the Build Tauri bundle step:
TAURI_SIGNING_PRIVATE_KEYandTAURI_SIGNING_PRIVATE_KEY_PASSWORDenv (mapped from the two new secrets) totauri-action. With these set, the action emits*.app.tar.gz/*.AppImage.tar.gz/*.nsis.zipalongside the user-facing installers, each paired with a.sigfile.And one change to the Collect & rename artifacts step:
copy_sighelper + extraforloops to copy the updater bundles intodist-release/under the sameAnySpace-${VERSION}-${LABEL}.{ext}naming the backend manifest endpoint expects, plus their matching.sigfiles. Silently skips if.sigis missing (build run without secrets → unsigned → no.sig), so a secrets-not-set mistake degrades to "backend keeps returning 204" rather than breaking the release.dist-release/*is already the glob both the GitHub Release publish step and the R2 upload step use, so the new artifacts flow downstream automatically.backend/README.mdNew Release engineering — signed auto-updates (phase 5) section documenting:
TAURI_PRIVATE_KEY,TAURI_KEY_PASSWORD) and where they come frompubkeyin config → cut new release → old clients on old pubkey need manual reinstall)You also need to
If you haven't already, add the two repo secrets at
https://github.com/anyspacedev/anyspace/settings/secrets/actions:
TAURI_PRIVATE_KEYdW50cnVzdGVkIGNvbW1lbnQ6IHJzaWduIGVuY3J5cHRlZCBzZWNyZXQga2V5...)TAURI_KEY_PASSWORDAYdAggxHIwDl2-n1BmuJiQ7xnxuoIBJUConfirm once both are in and I'll shred the local copy at
~/.tauri/anyspace.key.Verified
cargo checkclean (the pubkey is compile-time embedded bytauri::generate_context!()— invalid base64 would have failed here).yaml.safe_loadpasses on the modified workflow.After merge
Tag a v0.1.2 with
git tag v0.1.2 && git push origin v0.1.2— the release workflow signs the bundles, uploads them alongside the existing DMG/MSI/AppImage, and the next time any installed copy hitshttps://api.anyspace.dev/updates/..., it'll get a real manifest back instead of 204.