Publish Modrinth Plus self-update metadata

2026-05-15 23:22:51 +02:00
parent f3685cace3
commit d0ba75e18e
4 changed files with 74 additions and 2 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -19,6 +19,9 @@ jobs:
      MODRINTH_SOCKET_URL: wss://api.modrinth.com/
      MODRINTH_LAUNCHER_META_URL: https://launcher-meta.modrinth.com/
      REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+      TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+      TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+      TAURI_SIGNING_PUBLIC_KEY: ${{ secrets.TAURI_SIGNING_PUBLIC_KEY }}
      XWIN_CACHE_DIR: .xwin-cache
    steps:
      - name: Checkout
@@ -63,6 +66,18 @@ jobs:
      - name: Install Windows Rust target
        run: rustup target add x86_64-pc-windows-msvc

+      - name: Prepare Modrinth Plus update metadata
+        shell: bash
+        run: |
+          if [ -z "${TAURI_SIGNING_PRIVATE_KEY}" ] || [ -z "${TAURI_SIGNING_PUBLIC_KEY}" ]; then
+            echo "::error::TAURI_SIGNING_PRIVATE_KEY and TAURI_SIGNING_PUBLIC_KEY secrets are required for self-updating builds."
+            exit 1
+          fi
+
+          build_version="1.0.${GITHUB_RUN_NUMBER}"
+          node -e "const fs=require('fs'); const path='apps/app-frontend/package.json'; const pkg=JSON.parse(fs.readFileSync(path,'utf8')); pkg.version=process.argv[1]; fs.writeFileSync(path, JSON.stringify(pkg,null,'\\t')+'\\n');" "${build_version}"
+          node -e "const fs=require('fs'); const path='apps/app/tauri-release.conf.json'; const config=JSON.parse(fs.readFileSync(path,'utf8')); config.plugins.updater.pubkey=process.env.TAURI_SIGNING_PUBLIC_KEY; fs.writeFileSync(path, JSON.stringify(config,null,'\\t')+'\\n');"
+
      - name: Build Windows desktop client
        run: pnpm --filter @modrinth/app exec tauri build --runner cargo-xwin --target x86_64-pc-windows-msvc

@@ -94,19 +109,46 @@ jobs:
            exit 1
          fi

+          mapfile -d '' updater_bundles < <(find target/x86_64-pc-windows-msvc/release/bundle/nsis -maxdepth 1 -type f -name '*.nsis.zip' -print0)
+          if [ "${#updater_bundles[@]}" -eq 0 ]; then
+            echo "No Windows updater bundle found to publish"
+            exit 1
+          fi
+
+          updater_bundle="${updater_bundles[0]}"
+          updater_signature="${updater_bundle}.sig"
+          if [ ! -f "${updater_signature}" ]; then
+            echo "No Windows updater signature found at ${updater_signature}"
+            exit 1
+          fi
+
          rm -rf "${package_dir}"
          mkdir -p "${package_dir}/versioned" "${package_dir}/latest"
          cp "${artifacts[0]}" "${package_dir}/versioned/Modrinth-Plus-Windows-Setup-${package_version}.exe"
+          cp "${updater_bundle}" "${package_dir}/versioned/Modrinth-Plus-Windows-Update-${package_version}.nsis.zip"

          curl --fail-with-body \
            --user "${repository_owner}:${REGISTRY_TOKEN}" \
            --upload-file "${package_dir}/versioned/Modrinth-Plus-Windows-Setup-${package_version}.exe" \
            "${gitea_server}/api/packages/${repository_owner}/generic/${package_name}/${package_version}/Modrinth-Plus-Windows-Setup-${package_version}.exe"

+          update_url="${gitea_server}/api/packages/${repository_owner}/generic/${package_name}/${package_version}/Modrinth-Plus-Windows-Update-${package_version}.nsis.zip"
+          curl --fail-with-body \
+            --user "${repository_owner}:${REGISTRY_TOKEN}" \
+            --upload-file "${package_dir}/versioned/Modrinth-Plus-Windows-Update-${package_version}.nsis.zip" \
+            "${update_url}"
+
          curl --silent --show-error --user "${repository_owner}:${REGISTRY_TOKEN}" --request DELETE "${latest_url}" || true
          cp "${artifacts[0]}" "${package_dir}/latest/Modrinth-Plus-Windows-Setup.exe"
+          signature="$(cat "${updater_signature}")"
+          node -e "const fs=require('fs'); const [version, url, signature]=process.argv.slice(1); const metadata={version, notes:'Modrinth Plus launcher update', pub_date:new Date().toISOString(), platforms:{'windows-x86_64':{signature,url}}}; fs.writeFileSync('package-registry/latest/latest.json', JSON.stringify(metadata,null,2)+'\\n');" "${app_version}" "${update_url}" "${signature}"

          curl --fail-with-body \
            --user "${repository_owner}:${REGISTRY_TOKEN}" \
            --upload-file "${package_dir}/latest/Modrinth-Plus-Windows-Setup.exe" \
            "${latest_url}/Modrinth-Plus-Windows-Setup.exe"
+
+          curl --fail-with-body \
+            --user "${repository_owner}:${REGISTRY_TOKEN}" \
+            --upload-file "${package_dir}/latest/latest.json" \
+            "${latest_url}/latest.json"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ All notable Modrinth Plus changes are documented here.
 - Added Connected Library for public Git-hosted `modrinth-plus.json` modpack manifests.
 - Added Gitea Actions verification for the Modrinth Plus fork.
 - Added Windows installer publishing to the Gitea generic package registry.
+- Added signed Windows self-update metadata publishing for Modrinth Plus release builds.
 - Added Codex repository context and release/security documentation.
 - Fixed startup compatibility with existing official Modrinth App databases that recorded different checksums for historical SQLite migrations.
 - Fixed Connected Library Git repository URL resolution for repositories that use `master` instead of `main`.
--- a/apps/app/tauri-release.conf.json
+++ b/apps/app/tauri-release.conf.json
@@ -30,8 +30,13 @@
 	},
 	"plugins": {
 		"updater": {
-			"pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDIwMzM5QkE0M0FCOERBMzkKUldRNTJyZzZwSnN6SUdPRGdZREtUUGxMblZqeG9OVHYxRUlRTzJBc2U3MUNJaDMvZDQ1UytZZmYK",
-			"endpoints": ["https://launcher-files.modrinth.com/updates.json"]
+			"pubkey": "MODRINTH_PLUS_UPDATER_PUBLIC_KEY",
+			"endpoints": [
+				"https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/latest.json"
+			],
+			"windows": {
+				"installMode": "passive"
+			}
 		}
 	}
 }
--- a/docs/self-updates.md
+++ b/docs/self-updates.md
@@ -0,0 +1,24 @@
+# Modrinth Plus Self-Updates
+
+Modrinth Plus uses the existing Tauri updater flow from the upstream Modrinth App. Release builds check the Gitea generic package registry for `latest.json` and show the in-app update notification after startup when a newer signed build exists.
+
+The updater requires signing. Tauri does not allow unsigned updater installs, so the Gitea repository must provide these Actions secrets:
+
+- `TAURI_SIGNING_PRIVATE_KEY`: private key generated by `tauri signer generate`.
+- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`: optional key password.
+- `TAURI_SIGNING_PUBLIC_KEY`: public key generated next to the private key.
+- `REGISTRY_TOKEN`: Gitea token with package write access.
+
+Generate a keypair with the Tauri CLI:
+
+```powershell
+pnpm --filter @modrinth/app exec tauri signer generate -- -w "$env:USERPROFILE\.tauri\modrinth-plus-updater.key"
+```
+
+Use the `.key` file content as `TAURI_SIGNING_PRIVATE_KEY` and the `.key.pub` file content as `TAURI_SIGNING_PUBLIC_KEY`.
+
+The Gitea workflow patches the public key into `apps/app/tauri-release.conf.json` at build time, builds a signed Windows updater bundle, uploads the installer and updater bundle to the package registry, and publishes `latest.json` at:
+
+```text
+https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/latest.json
+```