From b76febdbbf46627e5cabe820178d1bc12a5ad536 Mon Sep 17 00:00:00 2001 From: Emma Watson Date: Sat, 28 Mar 2026 19:06:14 +0800 Subject: [PATCH] docs: add release signature verification steps (#1178) --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/README.md b/README.md index 3a94f83..bef98d9 100644 --- a/README.md +++ b/README.md @@ -263,6 +263,41 @@ We're actively working on several features and improvements. Contributions and f - Abstract and organize Tauri command patterns - Investigate tauri-specta for improved type safety and organization +## Verify Release Signatures + +Handy release artifacts are signed with Tauri's updater signature format. The public key is stored in [`src-tauri/tauri.conf.json`](src-tauri/tauri.conf.json) under `plugins.updater.pubkey`. + +To verify a release manually, set `ARTIFACT` to the filename you downloaded, save the `pubkey` value from `src-tauri/tauri.conf.json` to `handy.pub.b64`, then decode the public key and matching `.sig` file from base64 and verify the artifact with `minisign`: + +```bash +# Replace with the file you downloaded +ARTIFACT="Handy_0.8.1_amd64.AppImage" + +python3 - "$ARTIFACT" <<'PY' +import base64, pathlib, sys + +artifact = sys.argv[1] + +pub = pathlib.Path("handy.pub.b64").read_text().strip() +pathlib.Path("handy.pub").write_bytes(base64.b64decode(pub)) + +sig = pathlib.Path(f"{artifact}.sig").read_text().strip() +pathlib.Path(f"{artifact}.minisig").write_bytes(base64.b64decode(sig)) +PY + +minisign -Vm "$ARTIFACT" \ + -p handy.pub \ + -x "$ARTIFACT.minisig" +``` + +On success, `minisign` prints: + +```text +Signature and comment signature verified +``` + +Do not use `gpg` for these `.sig` files. + ## Troubleshooting ### Manual Model Installation (For Proxy Users or Network Restrictions)