docs: add release signature verification steps (#1178)
This commit is contained in:
parent
4239cd3584
commit
b76febdbbf
1 changed files with 35 additions and 0 deletions
35
README.md
35
README.md
|
|
@ -263,6 +263,41 @@ We're actively working on several features and improvements. Contributions and f
|
|||
- Abstract and organize Tauri command patterns
|
||||
- Investigate tauri-specta for improved type safety and organization
|
||||
|
||||
## Verify Release Signatures
|
||||
|
||||
Handy release artifacts are signed with Tauri's updater signature format. The public key is stored in [`src-tauri/tauri.conf.json`](src-tauri/tauri.conf.json) under `plugins.updater.pubkey`.
|
||||
|
||||
To verify a release manually, set `ARTIFACT` to the filename you downloaded, save the `pubkey` value from `src-tauri/tauri.conf.json` to `handy.pub.b64`, then decode the public key and matching `.sig` file from base64 and verify the artifact with `minisign`:
|
||||
|
||||
```bash
|
||||
# Replace with the file you downloaded
|
||||
ARTIFACT="Handy_0.8.1_amd64.AppImage"
|
||||
|
||||
python3 - "$ARTIFACT" <<'PY'
|
||||
import base64, pathlib, sys
|
||||
|
||||
artifact = sys.argv[1]
|
||||
|
||||
pub = pathlib.Path("handy.pub.b64").read_text().strip()
|
||||
pathlib.Path("handy.pub").write_bytes(base64.b64decode(pub))
|
||||
|
||||
sig = pathlib.Path(f"{artifact}.sig").read_text().strip()
|
||||
pathlib.Path(f"{artifact}.minisig").write_bytes(base64.b64decode(sig))
|
||||
PY
|
||||
|
||||
minisign -Vm "$ARTIFACT" \
|
||||
-p handy.pub \
|
||||
-x "$ARTIFACT.minisig"
|
||||
```
|
||||
|
||||
On success, `minisign` prints:
|
||||
|
||||
```text
|
||||
Signature and comment signature verified
|
||||
```
|
||||
|
||||
Do not use `gpg` for these `.sig` files.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Manual Model Installation (For Proxy Users or Network Restrictions)
|
||||
|
|
|
|||
Loading…
Reference in a new issue