worked on new signing key for updater plugin

Author: ashesbloom

.github/workflows/release.yml

@@ -14,9 +14,8 @@ on:
 env:
   PYTHON_VERSION: '3.11'
   NODE_VERSION: '18'
-  # Tauri updater signing key (set in GitHub Secrets)
-  # TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-  # TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+  # Password is passed directly (can be empty)
+  TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
 
 jobs:
   build-windows:
@@ -76,92 +75,37 @@ jobs:
         run: |
           copy backend\dist\backend_server-x86_64-pc-windows-msvc.exe frontend\src-tauri\
 
-      # Build the final application with signing enabled
-      - name: Build Tauri application
-        env:
-          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
-          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+      # Decode the secret and set the environment variable for the next step
+      - name: Setup Signing Key
         run: |
-          cd frontend
-          
-          Write-Output "=== Debugging Signing Key Setup ==="
-          
-          # Check Password
-          if ($env:TAURI_SIGNING_PRIVATE_KEY_PASSWORD) {
-             Write-Output "Password env var is set (length: $($env:TAURI_SIGNING_PRIVATE_KEY_PASSWORD.Length))"
-          } else {
-             Write-Warning "Password env var is EMPTY"
-          }
-
-          # Decode Base64 directly to bytes and write to file (avoids BOM/encoding issues)
-          try {
-            # Try to decode as Base64 first (in case user encoded the key file)
-            $bytes = [System.Convert]::FromBase64String($env:TAURI_SIGNING_PRIVATE_KEY)
-            [System.IO.File]::WriteAllBytes("$PWD/tauri.key", $bytes)
-            Write-Output "Successfully decoded Base64 key to tauri.key"
-          } catch {
-            # If Base64 decoding fails, assume it's the raw text content of the key
-            Write-Output "Secret is not Base64, assuming raw key content."
-            # Explicitly use UTF-8 NO BOM and Trim whitespace
-            $keyContent = $env:TAURI_SIGNING_PRIVATE_KEY.Trim()
-            $encoding = New-Object System.Text.UTF8Encoding $false
-            [System.IO.File]::WriteAllText("$PWD/tauri.key", $keyContent, $encoding)
-            Write-Output "Saved raw key content to tauri.key"
-          }
+          # 1. Get the Base64 secret
+          $encoded = "${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}"
           
-          # Debug: Check file content (Hex dump start)
-          if (Test-Path "tauri.key") {
-            $len = (Get-Item 'tauri.key').Length
-            Write-Output "Key file created. Size: $len bytes"
+          if ($encoded) {
+            # 2. Decode Base64 to text
+            $bytes = [System.Convert]::FromBase64String($encoded)
+            $decodedKey = [System.Text.Encoding]::UTF8.GetString($bytes)
             
-            # Hex dump first 16 bytes to check for BOM or corruption
-            # Using Format-Hex which is available in PS 5.1 and Core
-            try {
-              $hex = Format-Hex -Path "tauri.key" -Count 16 | Out-String
-              Write-Output "File Head (Hex):`n$hex"
-            } catch {
-              Write-Warning "Could not run Format-Hex: $_"
-            }
+            # 3. Write to a temporary file (frontend/tauri.key)
+            $keyPath = Join-Path (Get-Location) "frontend/tauri.key"
+            [System.IO.File]::WriteAllText($keyPath, $decodedKey)
             
-            # Verify header text
-            $firstLine = Get-Content "tauri.key" -TotalCount 1
-            Write-Output "First line text: $firstLine"
+            # 4. Set the environment variable to the FILE PATH
+            # This is the equivalent of 'export' but for GitHub Actions Windows runners
+            echo "TAURI_SIGNING_PRIVATE_KEY=$keyPath" >> $env:GITHUB_ENV
             
-            if ($firstLine -notmatch "^untrusted comment:") {
-               Write-Warning "Key file does not start with 'untrusted comment:'"
-            }
+            Write-Host "Success: Signing key decoded and saved to $keyPath"
+          } else {
+            Write-Warning "TAURI_SIGNING_PRIVATE_KEY secret is missing!"
           }
-          
-          # Strategy: Pass the content to Tauri
-          # We reload it from the file to ensure we use the clean version we just wrote
-          $env:TAURI_SIGNING_PRIVATE_KEY = [System.IO.File]::ReadAllText("$PWD/tauri.key")
-          Write-Output "Setting TAURI_SIGNING_PRIVATE_KEY to clean key content (length: $($env:TAURI_SIGNING_PRIVATE_KEY.Length))"
-          
-          npm run tauri build
 
-      # Debug: List all files in bundle directory to see if .sig files were created
-      - name: Debug - List bundle files
+      # Build the final application
+      - name: Build Tauri application
         run: |
-          Write-Output "=== Checking if signing key is set ==="
-          if ($env:TAURI_SIGNING_PRIVATE_KEY) {
-            Write-Output "TAURI_SIGNING_PRIVATE_KEY is SET (length: $($env:TAURI_SIGNING_PRIVATE_KEY.Length))"
-          } else {
-            Write-Output "WARNING: TAURI_SIGNING_PRIVATE_KEY is NOT SET - signatures will be empty!"
-          }
-          
-          Write-Output "`n=== Files in msi folder ==="
-          Get-ChildItem -Path "frontend\src-tauri\target\release\bundle\msi" -Recurse | ForEach-Object { Write-Output $_.FullName }
-          
-          Write-Output "`n=== Files in nsis folder (if exists) ==="
-          if (Test-Path "frontend\src-tauri\target\release\bundle\nsis") {
-            Get-ChildItem -Path "frontend\src-tauri\target\release\bundle\nsis" -Recurse | ForEach-Object { Write-Output $_.FullName }
-          }
-          
-          Write-Output "`n=== Looking for .sig files ==="
-          Get-ChildItem -Path "frontend\src-tauri\target\release\bundle" -Recurse -Filter "*.sig" | ForEach-Object { 
-            Write-Output "Found signature: $($_.FullName)"
-            Write-Output "Content: $(Get-Content $_.FullName -Raw)"
-          }
+          cd frontend
+          npm run tauri build
+
+
 
       # Generate checksums for verification
       - name: Generate checksums

frontend/.gitignore

@@ -33,4 +33,6 @@ coverage
 
 # Tauri secret files
 tauri-*.key
-tauri-*.key.pub
+tauri-*.key.pub
+
+.tauri

frontend/package-lock.json

@@ -28,3 +28,6 @@ tokio = { version = "1.46.0", features = ["time"] }
 tauri-plugin-updater = "2.9.0"
 tauri-plugin-process = "2.3.1"
 
+[target.'cfg(not(any(target_os = "android", target_os = "ios")))'.dependencies]
+tauri-plugin-updater = "2"
+

frontend/src-tauri/Cargo.toml

@@ -15,6 +15,7 @@
     "updater:allow-download",
     "updater:allow-install",
     "process:allow-restart",
-    "process:allow-exit"
+    "process:allow-exit",
+    "updater:allow-download-and-install"
   ]
 }

frontend/src-tauri/capabilities/default.json

@@ -0,0 +1,14 @@
+{
+  "identifier": "desktop-capability",
+  "platforms": [
+    "macOS",
+    "windows",
+    "linux"
+  ],
+  "windows": [
+    "main"
+  ],
+  "permissions": [
+    "updater:default"
+  ]
+}

frontend/src-tauri/capabilities/desktop.json

@@ -2,6 +2,7 @@ use std::sync::{Arc, Mutex};
 use std::time::Duration;
 use tauri::{Emitter, Manager, State, WindowEvent};
 use tauri_plugin_shell::{process::{CommandChild, CommandEvent}, ShellExt};
+use tauri_plugin_updater::UpdaterExt;
 
 #[derive(Default)]
 struct BackendInfo {

frontend/src-tauri/src/lib.rs

@@ -41,7 +41,6 @@
       "endpoints": [
         "https://github.com/ashesbloom/LocalLens/releases/latest/download/latest.json"
       ],
-      "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDdGQkFFNkRDRUQ1REQ5QzAKUldUQTJWM3QzT2E2ZjhCck5mV2hhY1VKc05xMDVUa0Q0TUh4cUZSTnFDMHN2VVRuVkVkaW1laXYK"
-    }
+      "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IEFFOTI4RDBEODlBNTFERjUKUldUMUhhV0pEWTJTcnUreGZtb2pSYkl5ejAyYWdNa2Fhalc1c212S2pvWlpYYUtOMXRzcndhZmUK"
   }
 }