Sign Windows releases with MrTrust certificate
This commit is contained in:
@@ -18,6 +18,8 @@
|
||||
|
||||
- [ ] Security review is current.
|
||||
- [ ] No secrets are committed.
|
||||
- [ ] Windows artifacts are signed with the MrTrust code-signing certificate.
|
||||
- [ ] Signature validates on a machine where MrTrust is installed.
|
||||
- [ ] Connected Library external URLs are documented.
|
||||
- [ ] Private repo authentication remains disabled unless explicitly designed.
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ Release artifacts are not published yet.
|
||||
|
||||
- Connected Library can track public Git-hosted modpack manifests.
|
||||
- Per-pack auto-update can be enabled after a pack is connected.
|
||||
- Windows release artifacts are signed with the MrTrust code-signing certificate.
|
||||
- Gitea Actions are used as the verification runner.
|
||||
|
||||
## Security
|
||||
@@ -15,6 +16,7 @@ Release artifacts are not published yet.
|
||||
- Dependency audit: pending runner/toolchain confirmation.
|
||||
- Secret handling: no tokens are stored by Connected Library v1.
|
||||
- External network calls: public HTTPS manifest and `.mrpack` downloads.
|
||||
- Windows trust: MrTrust-installed users can trust Modrinth Plus only when artifacts are signed with the matching MrSphay certificate chain.
|
||||
|
||||
## Verification
|
||||
|
||||
@@ -23,6 +25,7 @@ Release artifacts are not published yet.
|
||||
| Gitea Actions build | Must pass before release |
|
||||
| Frontend lint | Covered by Gitea build workflow |
|
||||
| Rust clippy | Covered by Gitea build workflow |
|
||||
| MrTrust signing | Required by Gitea build workflow |
|
||||
| Artifact download | Pending release packaging |
|
||||
|
||||
## Notes
|
||||
|
||||
@@ -23,6 +23,7 @@ main
|
||||
- [x] External network calls documented for Connected Library.
|
||||
- [x] No private Connected Library credentials are persisted in v1.
|
||||
- [x] Connected Library requires HTTPS manifest and `.mrpack` URLs.
|
||||
- [x] MrTrust signing secrets are expected only as Gitea Actions secrets.
|
||||
|
||||
## Dependency Review
|
||||
|
||||
@@ -44,6 +45,7 @@ Pending successful Gitea Actions run.
|
||||
- [x] Connected Library manifests are stored locally in SQLite.
|
||||
- [x] Connected Library auto-update is disabled by default.
|
||||
- [x] `GITEA_TOKEN` is only for local agent API checks, not runtime app use.
|
||||
- [x] MrTrust signing does not bypass Defender, SmartScreen, UAC, or enterprise policy.
|
||||
- [ ] Full Tauri runtime permission review pending.
|
||||
|
||||
## Release Notes
|
||||
@@ -52,4 +54,5 @@ Known residual risks:
|
||||
|
||||
```text
|
||||
Connected Library update behavior is conservative and does not yet implement strict removed-file sync.
|
||||
Windows trust depends on publishing artifacts signed with the same certificate chain installed by MrTrust.
|
||||
```
|
||||
|
||||
@@ -4,6 +4,8 @@ Modrinth Plus uses the existing Tauri updater flow from the upstream Modrinth Ap
|
||||
|
||||
The updater requires signing. Tauri does not allow unsigned updater installs, so the Gitea repository must provide these Actions secrets:
|
||||
|
||||
- `MRTRUST_CODE_SIGNING_PFX_BASE64`: base64-encoded `MrSphay-CodeSigning.pfx` from MrTrust.
|
||||
- `MRTRUST_PFX_PASSWORD`: password for the MrTrust code-signing PFX.
|
||||
- `TAURI_SIGNING_PRIVATE_KEY`: private key generated by `tauri signer generate`.
|
||||
- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`: optional key password.
|
||||
- `TAURI_SIGNING_PUBLIC_KEY`: public key generated next to the private key.
|
||||
@@ -17,8 +19,16 @@ pnpm --filter @modrinth/app exec tauri signer generate -- -w "$env:USERPROFILE\.
|
||||
|
||||
Use the `.key` file content as `TAURI_SIGNING_PRIVATE_KEY` and the `.key.pub` file content as `TAURI_SIGNING_PUBLIC_KEY`.
|
||||
|
||||
Encode the MrTrust PFX for the `MRTRUST_CODE_SIGNING_PFX_BASE64` secret:
|
||||
|
||||
```powershell
|
||||
[Convert]::ToBase64String([IO.File]::ReadAllBytes(".\private\MrSphay-CodeSigning.pfx"))
|
||||
```
|
||||
|
||||
The Gitea workflow patches the public key into `apps/app/tauri-release.conf.json` at build time, builds a signed Windows updater bundle, uploads the installer and updater bundle to the package registry, and publishes `latest.json` at:
|
||||
|
||||
```text
|
||||
https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/latest.json
|
||||
```
|
||||
|
||||
The Windows installer and bundled executables are Authenticode-signed with the MrTrust code-signing certificate. Users who installed MrTrust before installing Modrinth Plus should see the artifacts as signed by the trusted MrSphay certificate chain. MrTrust does not disable Defender, SmartScreen, UAC, or enterprise policy.
|
||||
|
||||
Reference in New Issue
Block a user