Sign Windows releases with MrTrust certificate
This commit is contained in:
@@ -4,6 +4,8 @@ Modrinth Plus uses the existing Tauri updater flow from the upstream Modrinth Ap
|
||||
|
||||
The updater requires signing. Tauri does not allow unsigned updater installs, so the Gitea repository must provide these Actions secrets:
|
||||
|
||||
- `MRTRUST_CODE_SIGNING_PFX_BASE64`: base64-encoded `MrSphay-CodeSigning.pfx` from MrTrust.
|
||||
- `MRTRUST_PFX_PASSWORD`: password for the MrTrust code-signing PFX.
|
||||
- `TAURI_SIGNING_PRIVATE_KEY`: private key generated by `tauri signer generate`.
|
||||
- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`: optional key password.
|
||||
- `TAURI_SIGNING_PUBLIC_KEY`: public key generated next to the private key.
|
||||
@@ -17,8 +19,16 @@ pnpm --filter @modrinth/app exec tauri signer generate -- -w "$env:USERPROFILE\.
|
||||
|
||||
Use the `.key` file content as `TAURI_SIGNING_PRIVATE_KEY` and the `.key.pub` file content as `TAURI_SIGNING_PUBLIC_KEY`.
|
||||
|
||||
Encode the MrTrust PFX for the `MRTRUST_CODE_SIGNING_PFX_BASE64` secret:
|
||||
|
||||
```powershell
|
||||
[Convert]::ToBase64String([IO.File]::ReadAllBytes(".\private\MrSphay-CodeSigning.pfx"))
|
||||
```
|
||||
|
||||
The Gitea workflow patches the public key into `apps/app/tauri-release.conf.json` at build time, builds a signed Windows updater bundle, uploads the installer and updater bundle to the package registry, and publishes `latest.json` at:
|
||||
|
||||
```text
|
||||
https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/latest.json
|
||||
```
|
||||
|
||||
The Windows installer and bundled executables are Authenticode-signed with the MrTrust code-signing certificate. Users who installed MrTrust before installing Modrinth Plus should see the artifacts as signed by the trusted MrSphay certificate chain. MrTrust does not disable Defender, SmartScreen, UAC, or enterprise policy.
|
||||
|
||||
Reference in New Issue
Block a user