Skip to content

Commit 49b217d

Browse files
MagicalTuxclaude
andcommitted
Revert server auto-update (single identity can't split streams); keep update feedback
The v0.1.15 attempt gave the headless build its own update stream via a separate rsupd project, but the dist model makes that unworkable with one signing identity: the manifest URL is keyed by (fingerprint, channel) and release uniqueness by (fingerprint, version), so two variants can't publish the same version — and pointing the shared MANIFEST-master at a decryptd-server manifest would break GUI auto-update (project mismatch). That release was cancelled before any publish; MANIFEST-master is intact. - Server build reverts to download-only (updater gated to the gui feature again; publish-server job removed). Master publish is a single, conflict-free upload again. - Kept the important fix: the GUI "Check for Updates" now reports its outcome via desktop notification (up-to-date / updating / error) so the Windows failure stops being invisible. An independent server update stream would need a second signing identity; deferred pending that. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 93f0120 commit 49b217d

2 files changed

Lines changed: 18 additions & 56 deletions

File tree

.github/workflows/release.yml

Lines changed: 0 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -56,36 +56,3 @@ jobs:
5656
GH_TOKEN: ${{ github.token }}
5757
RSUPD_IDENTITY: ${{ secrets.RSUPD_IDENTITY }}
5858
run: rsupd publish --ci --run ${{ github.run_id }} --channel master --yes
59-
60-
# The headless -server build updates from its own rsupd project `decryptd-server`
61-
# (the backend keys releases by project+version, so the GUI and server binaries —
62-
# same version, same os_arch — can't share the `decryptd` project). Its binary
63-
# isn't a triple-named CI artifact, so `--ci` can't stage it; instead we drop it
64-
# into target/<triple>/release/ and publish in local mode with an explicit
65-
# --project (rsupd packages the existing binary — no recompile). Independent of
66-
# the master publish, so a failure here never blocks GUI updates.
67-
publish-server:
68-
name: Sign & publish server update
69-
needs: build
70-
runs-on: ubuntu-latest
71-
permissions:
72-
contents: read
73-
actions: read
74-
steps:
75-
- uses: actions/checkout@v4
76-
- uses: dtolnay/rust-toolchain@stable
77-
- uses: Swatinem/rust-cache@v2
78-
- name: Install rsupd CLI
79-
run: cargo install rsupd --locked --features _cli
80-
- name: Stage the headless server binary at its target path
81-
env:
82-
GH_TOKEN: ${{ github.token }}
83-
run: |
84-
gh run download ${{ github.run_id }} -n decryptd-linux-x86_64-server.tar.gz -D srv
85-
mkdir -p target/x86_64-unknown-linux-gnu/release
86-
tar -xzf srv/decryptd-linux-x86_64-server.tar.gz \
87-
-C target/x86_64-unknown-linux-gnu/release decryptd
88-
- name: Sign & publish the decryptd-server project
89-
env:
90-
RSUPD_IDENTITY: ${{ secrets.RSUPD_IDENTITY }}
91-
run: rsupd publish --project decryptd-server --target x86_64-unknown-linux-gnu --channel master --yes

src/main.rs

Lines changed: 18 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -921,27 +921,22 @@ fn upload_loop(ctx: RestContext, inflight: InFlight, done: Arc<Mutex<Receiver<Fi
921921
/// Trust anchor for self-updates: the SHA-256 fingerprint of the decryptd
922922
/// release signing key (`rsupd id export`). It's a hash of a public key, so it's
923923
/// safe to embed; the updater refuses any manifest not signed by the matching
924-
/// private identity.
924+
/// private identity. GUI-build only — the console `-server` build has no updater.
925+
#[cfg(feature = "gui")]
925926
const RSUPD_FINGERPRINT: &str = "80b9edc7e6eaebf10b2a25bb10556b9b7fa6abc9fbe556706a2b680cefa4a0fc";
926927

927-
/// The rsupd project this build updates from. The dist backend keys releases by
928-
/// (project, version), so the GUI and headless builds — same version, same
929-
/// os_arch, different binary — must live under different projects, not just
930-
/// different channels. The GUI build is `decryptd`; the headless build is
931-
/// `decryptd-server`, published from the no-GUI binary. Both are signed by the
932-
/// same identity/fingerprint. A console worker thus updates to another console
933-
/// build, never the GTK-linked GUI one (which wouldn't start on a headless box).
928+
/// Build the signed auto-updater. The transport (dist-go over rsurl) and channel
929+
/// (`master`) default from the fingerprint, so the anchor is the only required
930+
/// input. The git stamps from `build.rs` let it also spot a newer build of the
931+
/// same version (and never reinstall the identical build).
932+
///
933+
/// GUI-build only. The dist backend keys releases by `(fingerprint, version)`, so
934+
/// with a single signing identity two variants can't publish the same version;
935+
/// the headless build therefore ships without an updater (download-only). Giving
936+
/// the server its own auto-update stream would need a second signing identity.
934937
#[cfg(feature = "gui")]
935-
const UPDATE_PROJECT: &str = "decryptd";
936-
#[cfg(not(feature = "gui"))]
937-
const UPDATE_PROJECT: &str = "decryptd-server";
938-
939-
/// Build the signed auto-updater. The transport (dist-go over rsurl) defaults from
940-
/// the fingerprint, so the anchor + project are the only required inputs. The git
941-
/// stamps from `build.rs` let it also spot a newer build of the same version (and
942-
/// never reinstall the identical build).
943938
fn build_updater() -> rsupd::Result<rsupd::Updater> {
944-
rsupd::Updater::builder(UPDATE_PROJECT, env!("CARGO_PKG_VERSION"))
939+
rsupd::Updater::builder(env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION"))
945940
.fingerprint_hex(RSUPD_FINGERPRINT)
946941
.git_tag(env!("RSUPD_GIT_TAG"))
947942
.date_tag(rsupd::date_tag_from_unix(env!("RSUPD_BUILD_UNIX")))
@@ -955,12 +950,12 @@ fn main() -> Result<()> {
955950
let args = RunArgs::parse();
956951
let status = Status::default();
957952

958-
// Long-lived workers keep themselves current: check hourly in the background
959-
// and restart into each new signed build. Each variant tracks its own update
960-
// channel (see `build_updater`) — the GUI build on `master`, the headless
961-
// `-server` build on `server` — so a console worker never pulls the GTK-linked
962-
// GUI binary, which wouldn't start on a display-less box. `--once` is
963-
// short-lived, so it skips the updater.
953+
// Self-update is a GUI-build feature only (see `build_updater`): with one
954+
// signing identity the headless build can't have an independent update stream,
955+
// so it ships download-only. Long-lived GUI workers keep themselves current:
956+
// check hourly in the background and restart into each new signed build.
957+
// `--once` is short-lived, so it skips the updater.
958+
#[cfg(feature = "gui")]
964959
if !args.once {
965960
match build_updater() {
966961
Ok(updater) => {

0 commit comments

Comments
 (0)