Publish Modrinth Plus self-update metadata

.gitea/workflows/build.yml

@@ -19,6 +19,9 @@ jobs:
       MODRINTH_SOCKET_URL: wss://api.modrinth.com/
       MODRINTH_LAUNCHER_META_URL: https://launcher-meta.modrinth.com/
       REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+      TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+      TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+      TAURI_SIGNING_PUBLIC_KEY: ${{ secrets.TAURI_SIGNING_PUBLIC_KEY }}
       XWIN_CACHE_DIR: .xwin-cache
     steps:
       - name: Checkout
@@ -63,6 +66,18 @@ jobs:
       - name: Install Windows Rust target
         run: rustup target add x86_64-pc-windows-msvc
 
+      - name: Prepare Modrinth Plus update metadata
+        shell: bash
+        run: |
+          if [ -z "${TAURI_SIGNING_PRIVATE_KEY}" ] || [ -z "${TAURI_SIGNING_PUBLIC_KEY}" ]; then
+            echo "::error::TAURI_SIGNING_PRIVATE_KEY and TAURI_SIGNING_PUBLIC_KEY secrets are required for self-updating builds."
+            exit 1
+          fi
+
+          build_version="1.0.${GITHUB_RUN_NUMBER}"
+          node -e "const fs=require('fs'); const path='apps/app-frontend/package.json'; const pkg=JSON.parse(fs.readFileSync(path,'utf8')); pkg.version=process.argv[1]; fs.writeFileSync(path, JSON.stringify(pkg,null,'\\t')+'\\n');" "${build_version}"
+          node -e "const fs=require('fs'); const path='apps/app/tauri-release.conf.json'; const config=JSON.parse(fs.readFileSync(path,'utf8')); config.plugins.updater.pubkey=process.env.TAURI_SIGNING_PUBLIC_KEY; fs.writeFileSync(path, JSON.stringify(config,null,'\\t')+'\\n');"
+
       - name: Build Windows desktop client
         run: pnpm --filter @modrinth/app exec tauri build --runner cargo-xwin --target x86_64-pc-windows-msvc
 
@@ -94,19 +109,46 @@ jobs:
             exit 1
           fi
 
+          mapfile -d '' updater_bundles < <(find target/x86_64-pc-windows-msvc/release/bundle/nsis -maxdepth 1 -type f -name '*.nsis.zip' -print0)
+          if [ "${#updater_bundles[@]}" -eq 0 ]; then
+            echo "No Windows updater bundle found to publish"
+            exit 1
+          fi
+
+          updater_bundle="${updater_bundles[0]}"
+          updater_signature="${updater_bundle}.sig"
+          if [ ! -f "${updater_signature}" ]; then
+            echo "No Windows updater signature found at ${updater_signature}"
+            exit 1
+          fi
+
           rm -rf "${package_dir}"
           mkdir -p "${package_dir}/versioned" "${package_dir}/latest"
           cp "${artifacts[0]}" "${package_dir}/versioned/Modrinth-Plus-Windows-Setup-${package_version}.exe"
+          cp "${updater_bundle}" "${package_dir}/versioned/Modrinth-Plus-Windows-Update-${package_version}.nsis.zip"
 
           curl --fail-with-body \
             --user "${repository_owner}:${REGISTRY_TOKEN}" \
             --upload-file "${package_dir}/versioned/Modrinth-Plus-Windows-Setup-${package_version}.exe" \
             "${gitea_server}/api/packages/${repository_owner}/generic/${package_name}/${package_version}/Modrinth-Plus-Windows-Setup-${package_version}.exe"
 
+          update_url="${gitea_server}/api/packages/${repository_owner}/generic/${package_name}/${package_version}/Modrinth-Plus-Windows-Update-${package_version}.nsis.zip"
+          curl --fail-with-body \
+            --user "${repository_owner}:${REGISTRY_TOKEN}" \
+            --upload-file "${package_dir}/versioned/Modrinth-Plus-Windows-Update-${package_version}.nsis.zip" \
+            "${update_url}"
+
           curl --silent --show-error --user "${repository_owner}:${REGISTRY_TOKEN}" --request DELETE "${latest_url}" || true
           cp "${artifacts[0]}" "${package_dir}/latest/Modrinth-Plus-Windows-Setup.exe"
+          signature="$(cat "${updater_signature}")"
+          node -e "const fs=require('fs'); const [version, url, signature]=process.argv.slice(1); const metadata={version, notes:'Modrinth Plus launcher update', pub_date:new Date().toISOString(), platforms:{'windows-x86_64':{signature,url}}}; fs.writeFileSync('package-registry/latest/latest.json', JSON.stringify(metadata,null,2)+'\\n');" "${app_version}" "${update_url}" "${signature}"
 
           curl --fail-with-body \
             --user "${repository_owner}:${REGISTRY_TOKEN}" \
             --upload-file "${package_dir}/latest/Modrinth-Plus-Windows-Setup.exe" \
             "${latest_url}/Modrinth-Plus-Windows-Setup.exe"
+
+          curl --fail-with-body \
+            --user "${repository_owner}:${REGISTRY_TOKEN}" \
+            --upload-file "${package_dir}/latest/latest.json" \
+            "${latest_url}/latest.json"

CHANGELOG.md

@@ -7,6 +7,7 @@ All notable Modrinth Plus changes are documented here.
 - Added Connected Library for public Git-hosted `modrinth-plus.json` modpack manifests.
 - Added Gitea Actions verification for the Modrinth Plus fork.
 - Added Windows installer publishing to the Gitea generic package registry.
+- Added signed Windows self-update metadata publishing for Modrinth Plus release builds.
 - Added Codex repository context and release/security documentation.
 - Fixed startup compatibility with existing official Modrinth App databases that recorded different checksums for historical SQLite migrations.
 - Fixed Connected Library Git repository URL resolution for repositories that use `master` instead of `main`.

apps/app/tauri-release.conf.json

@@ -30,8 +30,13 @@
 	},
 	"plugins": {
 		"updater": {
-			"pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDIwMzM5QkE0M0FCOERBMzkKUldRNTJyZzZwSnN6SUdPRGdZREtUUGxMblZqeG9OVHYxRUlRTzJBc2U3MUNJaDMvZDQ1UytZZmYK",
+			"pubkey": "MODRINTH_PLUS_UPDATER_PUBLIC_KEY",
-			"endpoints": ["https://launcher-files.modrinth.com/updates.json"]
+			"endpoints": [
+				"https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/latest.json"
+			],
+			"windows": {
+				"installMode": "passive"
+			}
 		}
 	}
 }

docs/self-updates.md

@@ -0,0 +1,24 @@
+# Modrinth Plus Self-Updates
+
+Modrinth Plus uses the existing Tauri updater flow from the upstream Modrinth App. Release builds check the Gitea generic package registry for `latest.json` and show the in-app update notification after startup when a newer signed build exists.
+
+The updater requires signing. Tauri does not allow unsigned updater installs, so the Gitea repository must provide these Actions secrets:
+
+- `TAURI_SIGNING_PRIVATE_KEY`: private key generated by `tauri signer generate`.
+- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`: optional key password.
+- `TAURI_SIGNING_PUBLIC_KEY`: public key generated next to the private key.
+- `REGISTRY_TOKEN`: Gitea token with package write access.
+
+Generate a keypair with the Tauri CLI:
+
+```powershell
+pnpm --filter @modrinth/app exec tauri signer generate -- -w "$env:USERPROFILE\.tauri\modrinth-plus-updater.key"
+```
+
+Use the `.key` file content as `TAURI_SIGNING_PRIVATE_KEY` and the `.key.pub` file content as `TAURI_SIGNING_PUBLIC_KEY`.
+
+The Gitea workflow patches the public key into `apps/app/tauri-release.conf.json` at build time, builds a signed Windows updater bundle, uploads the installer and updater bundle to the package registry, and publishes `latest.json` at:
+
+```text
+https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/latest.json
+```