Feature/improve update and signing (#24)

* The building process with a certificate is correct

* docs: update release process documentation and add signing key requirements

* fix: update publication date for Circle Camera 0.3.1 release

Author: devbyray

.gitignore

@@ -27,4 +27,6 @@ dist-ssr
 *.sln
 *.sw?
 docs/.vitepress/cache
-.env
+.env
+scripts/generate-update-json.js
+.tauri/

dev-docs/release-process.md

@@ -7,8 +7,10 @@ This document details the process for creating and publishing new releases of th
 Circle Camera uses a shell script (`scripts/release.sh`) to facilitate the release process locally. This script handles:
 
 1.  Validating the code.
-2.  Building the universal macOS DMG installer.
-3.  Creating a draft GitHub release with the installer attached.
+2.  Verifying signing keys are in place.
+3.  Building the universal macOS DMG installer with proper code signing.
+4.  Generating the update information with signatures.
+5.  Creating a draft GitHub release with the installer and update file attached.
 
 ## Local Release Process
 
@@ -21,6 +23,29 @@ Before running the release script, ensure you have the following installed and c
 *   **jq**: For parsing the version number from `package.json`.
 *   **GitHub CLI (`gh`)**: For creating the draft release and uploading assets. You need to be authenticated (`gh auth login`).
 *   **Rust toolchain**: With the `x86_64-apple-darwin` and `aarch64-apple-darwin` targets installed (`rustup target add x86_64-apple-darwin`).
+*   **Tauri signing keys**: Required for the update system (see "Setting up Signing Keys" section below).
+
+### Setting up Signing Keys
+
+The update system requires cryptographic keys for signing and verifying app updates:
+
+1. **Generate the key pair** (only once):
+   ```
+   npx @tauri-apps/cli signer generate -w ~/.tauri/circle-camera.key
+   ```
+
+2. **Verify the keys exist**:
+   ```
+   ls -la ~/.tauri/circle-camera.key*
+   ```
+   You should see both `circle-camera.key` (private key) and `circle-camera.key.pub` (public key).
+
+3. **Configure environment variables**: Add to your `.env` file or shell profile:
+   ```
+   export TAURI_SIGNING_PRIVATE_KEY=~/.tauri/circle-camera.key
+   ```
+
+4. **Verify the public key in config**: Ensure `src-tauri/tauri.conf.json` contains the correct public key from `~/.tauri/circle-camera.key.pub` in the `plugins.updater.pubkey` field.
 
 ### Triggering a New Release
 
@@ -51,9 +76,29 @@ The script performs the following steps:
 1.  **Branch Check**: Verifies you are on the `main` branch (can be overridden for testing: `./scripts/release.sh <branch-name>`).
 2.  **Get Version**: Extracts the version from `package.json` to create the tag (e.g., `v0.3.1`).
 3.  **Validate**: Runs `pnpm validate` (checks TypeScript and Rust code).
-4.  **Build**: Runs `pnpm tauri build --target universal-apple-darwin` to create the universal DMG.
-5.  **Create Draft Release**: Uses `gh release create` to make a draft release on GitHub with the extracted tag.
-6.  **Upload Asset**: Uses `gh release upload` to attach the built DMG to the draft release.
+4.  **Signing Key Check**: Verifies that the required signing keys exist.
+5.  **Environment Variable Setup**: Ensures the `TAURI_SIGNING_PRIVATE_KEY` environment variable is set.
+6.  **Build**: Runs `pnpm tauri build --target universal-apple-darwin` to create the universal DMG with embedded public key.
+7.  **Generate Update Information**: Runs `pnpm generate:update-json` to create the `latest.json` file with signatures for the update system.
+8.  **Create Draft Release**: Uses `gh release create` to make a draft release on GitHub with the extracted tag.
+9.  **Upload Assets**: Uploads both the built DMG and `latest.json` to the draft release.
+
+## Auto-Update System
+
+The Circle Camera app includes an auto-update system that checks for new releases and can download and install them automatically. This system requires:
+
+1. **Proper Signing**: Each release must be signed using the private key.
+2. **Update Information**: The `latest.json` file must be generated and uploaded to the release.
+3. **Public Key Distribution**: The app must be built with the public key embedded.
+
+The release script handles all these requirements automatically, but it's important to understand how they work if you need to troubleshoot issues.
+
+### Update Flow
+
+1. When the app starts, it checks the URL specified in `tauri.conf.json` (`plugins.updater.endpoints`) for the `latest.json` file.
+2. If a newer version is found, the app downloads the update package.
+3. The signature in the `latest.json` file is verified using the embedded public key.
+4. If verification succeeds, the app offers to install the update.
 
 ## Manual Steps After Script Completion
 
@@ -66,6 +111,7 @@ Once the script finishes successfully:
     *   List new features, improvements, and bug fixes.
 4.  **Review the attached assets**:
     *   Verify the universal DMG is present.
+    *   Verify the `latest.json` file is present with correct signatures.
 5.  **Publish the release** when ready.
 
 ## Testing Before Publishing
@@ -77,7 +123,19 @@ Before publishing the release:
     *   macOS with Apple Silicon (M1/M2/M3)
     *   macOS with Intel processor
 3.  Verify that all new features/fixes work correctly.
-4.  Test the auto-update mechanism by generating the `latest.json` (this is currently a separate manual step if needed, see `scripts/generate-update-json.js`).
+4.  Test the auto-update mechanism:
+    *   Install an older version of the app.
+    *   Publish the new release.
+    *   Verify that the older version detects and can update to the new version.
+
+## Troubleshooting the Update System
+
+If updates aren't working correctly:
+
+1. **Check the public key**: Ensure the public key in `tauri.conf.json` matches the actual public key at `~/.tauri/circle-camera.key.pub`.
+2. **Verify signatures**: Check that the `latest.json` file contains valid signatures.
+3. **Validate endpoints**: Make sure the update endpoint in `tauri.conf.json` points to the correct location where `latest.json` is hosted.
+4. **Debug logging**: Enable verbose logging in the app to see the update process in detail.
 
 ## Platform Support
 
@@ -106,6 +164,17 @@ If the release script fails:
     *   Rust build errors (check `pnpm validate` output).
     *   Incorrect Git branch.
     *   Network issues during GitHub API calls.
+    *   Missing or incorrect signing keys.
+    *   Environment variables not set correctly.
+
+## Signing Key Security
+
+The private signing key is critical for the security of your update system:
+
+1. **Never commit the private key** to version control.
+2. **Limit access** to only trusted release maintainers.
+3. **Back up the private key** securely - losing it means you'll need to create a new key pair and users will need to reinstall the app.
+4. **Consider password protection** for the private key when generating it.
 
 ## Release Announcements
 

latest.json

@@ -1,15 +1,11 @@
 {
-  "version": "0.2.0",
-  "notes": "Circle Camera 0.2.0 release",
-  "pub_date": "2025-04-17T14:09:31.335Z",
+  "version": "0.3.1",
+  "notes": "Circle Camera 0.3.1 release",
+  "pub_date": "2025-04-20T08:30:36.719Z",
   "platforms": {
-    "darwin-x86_64": {
-      "signature": "",
-      "url": "https://github.com/devbyray/circle-camera/releases/download/0.2.0/Circle.Camera_0.2.0_x64.dmg"
-    },
     "darwin-aarch64": {
-      "signature": "",
-      "url": "https://github.com/devbyray/circle-camera/releases/download/0.2.0/Circle.Camera_0.2.0_aarch64.dmg"
+      "signature": "dW50cnVzdGVkIGNvbW1lbnQ6IHNpZ25hdHVyZSBmcm9tIHRhdXJpIHNlY3JldCBrZXkKUlVTNmd6eTc4VG5RRlJlZTZzeEpJZC9pRGp4TzNGQTE5amdqN2dTWUVRYTdMVzJoYUFIZU5udmlIUStSYnNMS1Z6Y3JhdW5xaEc1cnBESzd4c2lnS0l5SllUd2R0MDM4emdnPQp0cnVzdGVkIGNvbW1lbnQ6IHRpbWVzdGFtcDoxNzQ1MTM2NjY1CWZpbGU6Q2lyY2xlIENhbWVyYS5hcHAudGFyLmd6CmFiK1NQU3JUeHBPTzU2bTRmbXVqZUJrbTBLYUpKaWxCblIxTUpyMWh4RisvUndWdlRpMGxxU2pjdzhmZUUwdWdKUFFOc1hSam1iVTNpUk05cWltakNRPT0K",
+      "url": "https://github.com/devbyray/circle-camera/releases/download/v0.3.1/Circle.Camera_0.3.1_aarch64.dmg"
     }
   }
 }

package.json

@@ -18,7 +18,8 @@
 		"docs:dev": "vitepress dev docs",
 		"docs:build": "vitepress build docs",
 		"docs:preview": "vitepress preview docs",
-		"release": "./scripts/release.sh"
+		"release": "./scripts/release.sh",
+		"tauri:build": "dotenv -- tauri build"
 	},
 	"dependencies": {
 		"@iconify-icons/icomoon-free": "^1.2.3",
@@ -36,6 +37,8 @@
 	"devDependencies": {
 		"@tauri-apps/cli": "^2",
 		"@vitejs/plugin-vue": "^5.2.1",
+		"dotenv": "^16.5.0",
+		"dotenv-cli": "^8.0.0",
 		"release-it": "^18.1.2",
 		"typescript": "~5.8.3",
 		"vite": "^6.0.3",

pnpm-lock.yaml

@@ -4,10 +4,14 @@ import fs from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
 import { dirname } from 'path';
+import os from 'os';
+import dotenv from 'dotenv';
 
+// Load environment variables from .env file
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const rootDir = path.resolve(__dirname, '..');
+dotenv.config({ path: path.join(rootDir, '.env') });
 
 // Read the version from package.json
 const packageJsonPath = path.join(rootDir, 'package.json');
@@ -21,24 +25,40 @@ const pubDate = new Date().toISOString();
 const repoOwner = 'devbyray';
 const repoName = 'circle-camera';
 
+// Get the path to the DMG file
+const aarch64DmgPath = path.join(rootDir, 'src-tauri', 'target', 'release', 'bundle', 'dmg', `Circle Camera_${version}_aarch64.dmg`);
+console.log(`Looking for DMG file at: ${aarch64DmgPath}`);
+
+// Get the path to the signature file that Tauri auto-generated
+const signaturePath = path.join(rootDir, 'src-tauri', 'target', 'release', 'bundle', 'macos', `Circle Camera.app.tar.gz.sig`);
+console.log(`Looking for signature file at: ${signaturePath}`);
+
+// Check if the DMG file exists
+if (!fs.existsSync(aarch64DmgPath)) {
+  console.error(`❌ ARM64 DMG not found at: ${aarch64DmgPath}`);
+  process.exit(1);
+}
+
+// Check if the signature file exists
+if (!fs.existsSync(signaturePath)) {
+  console.error(`❌ Signature file not found at: ${signaturePath}`);
+  process.exit(1);
+}
+
+// Read the signature file
+const signature = fs.readFileSync(signaturePath, 'utf8').trim();
+console.log(`✅ Found signature for update package`);
+
 // Create the update JSON structure
 const updateJson = {
   version,
   notes: `Circle Camera ${version} release`,
   pub_date: pubDate,
   platforms: {
-    'darwin-x86_64': {
-      signature: '',
-      url: `https://github.com/${repoOwner}/${repoName}/releases/download/${version}/Circle.Camera_${version}_x64.dmg`
-    },
     'darwin-aarch64': {
-      signature: '',
-      url: `https://github.com/${repoOwner}/${repoName}/releases/download/${version}/Circle.Camera_${version}_aarch64.dmg`
-    },
-    // 'windows-x86_64': {
-    //   signature: '',
-    //   url: `https://github.com/${repoOwner}/${repoName}/releases/download/${version}/Circle.Camera_${version}_x64-setup.exe`
-    // }
+      signature,
+      url: `https://github.com/${repoOwner}/${repoName}/releases/download/v${version}/Circle.Camera_${version}_aarch64.dmg`
+    }
   }
 };
 
@@ -49,9 +69,6 @@ fs.writeFileSync(outputPath, JSON.stringify(updateJson, null, 2), 'utf8');
 console.log(`🔄 Created latest.json for version ${version}`);
 console.log(`📝 File saved at: ${outputPath}`);
 console.log('');
-console.log('⚠️ Important: For secure updates, add signatures to the JSON file.');
-console.log('   See: https://tauri.app/v2/guides/distribution/updater');
-console.log('');
 console.log('📋 Release checklist:');
 console.log('   1. Build your app for all platforms');
 console.log('   2. Upload this latest.json file to your GitHub release');

scripts/generate-update-json.js

@@ -29,6 +29,27 @@ TAG="v$VERSION"
 echo "Running validation..."
 pnpm validate
 
+# --- Check for signing keys ---
+PRIVATE_KEY_PATH="$HOME/.tauri/circle-camera.key"
+PUBLIC_KEY_PATH="$HOME/.tauri/circle-camera.key.pub"
+
+if [ ! -f "$PRIVATE_KEY_PATH" ] || [ ! -f "$PUBLIC_KEY_PATH" ]; then
+  echo "Error: Signing keys not found. They should be at:"
+  echo "  - $PRIVATE_KEY_PATH"
+  echo "  - $PUBLIC_KEY_PATH"
+  echo ""
+  echo "Generate them with: npx @tauri-apps/cli signer generate -w $HOME/.tauri/circle-camera.key"
+  exit 1
+fi
+echo "✅ Signing keys found"
+
+# --- Verify environment variables ---
+if [ -z "$TAURI_SIGNING_PRIVATE_KEY" ]; then
+  echo "Warning: TAURI_SIGNING_PRIVATE_KEY environment variable not set."
+  echo "Setting it now to $PRIVATE_KEY_PATH for this session."
+  export TAURI_SIGNING_PRIVATE_KEY="$PRIVATE_KEY_PATH"
+fi
+
 # --- Build ---
 echo "Building universal macOS DMG..."
 # Using --target universal-apple-darwin explicitly for clarity
@@ -47,6 +68,16 @@ if [ ! -f "$DMG_PATH" ]; then
 fi
 echo "DMG file found: $DMG_PATH"
 
+# --- Generate update.json file with signatures ---
+echo "Generating latest.json update file with signatures..."
+pnpm generate:update-json
+
+if [ ! -f "latest.json" ]; then
+    echo "Error: latest.json file was not generated"
+    exit 1
+fi
+echo "✅ latest.json generated successfully"
+
 # --- Create GitHub Draft Release ---
 echo "Creating draft release $TAG on GitHub..."
 
@@ -66,7 +97,10 @@ fi
 echo "Uploading asset: $DMG_PATH"
 gh release upload "$TAG" "$DMG_PATH" --clobber
 
-echo "Successfully created draft release $TAG and uploaded $DMG_NAME."
+echo "Uploading update information: latest.json"
+gh release upload "$TAG" "latest.json" --clobber
+
+echo "Successfully created draft release $TAG and uploaded $DMG_NAME and latest.json."
 # Use gh repo view to reliably get owner/repo
 REPO_FULL_NAME=$(gh repo view --json owner,name --jq '.owner.login + "/" + .name')
 echo "Please review the draft release on GitHub: https://github.com/$REPO_FULL_NAME/releases/edit/$TAG"