1.9 KiB
Modrinth Plus Self-Updates
Modrinth Plus uses the existing Tauri updater flow from the upstream Modrinth App. Release builds check the Gitea generic package registry for latest.json and show the in-app update notification after startup when a newer signed build exists.
The updater requires signing. Tauri does not allow unsigned updater installs, so the Gitea repository must provide these Actions secrets:
MRTRUST_CODE_SIGNING_PFX_BASE64: base64-encodedMrSphay-CodeSigning.pfxfrom MrTrust.MRTRUST_PFX_PASSWORD: password for the MrTrust code-signing PFX.TAURI_SIGNING_PRIVATE_KEY: private key generated bytauri signer generate.TAURI_SIGNING_PRIVATE_KEY_PASSWORD: optional key password.TAURI_SIGNING_PUBLIC_KEY: public key generated next to the private key.REGISTRY_TOKEN: Gitea token with package write access.
Generate a keypair with the Tauri CLI:
pnpm --filter @modrinth/app exec tauri signer generate -- -w "$env:USERPROFILE\.tauri\modrinth-plus-updater.key"
Use the .key file content as TAURI_SIGNING_PRIVATE_KEY and the .key.pub file content as TAURI_SIGNING_PUBLIC_KEY.
Encode the MrTrust PFX for the MRTRUST_CODE_SIGNING_PFX_BASE64 secret:
[Convert]::ToBase64String([IO.File]::ReadAllBytes(".\private\MrSphay-CodeSigning.pfx"))
The Gitea workflow patches the public key into apps/app/tauri-release.conf.json at build time, builds a signed Windows updater bundle, uploads the installer and updater bundle to the package registry, and publishes latest.json at:
https://git.wilkensxl.de/api/packages/MrSphay/generic/modrinth-plus/latest/latest.json
The Windows installer and bundled executables are Authenticode-signed with the MrTrust code-signing certificate. Users who installed MrTrust before installing Modrinth Plus should see the artifacts as signed by the trusted MrSphay certificate chain. MrTrust does not disable Defender, SmartScreen, UAC, or enterprise policy.