From 835552c83407cb4517d1acab055df7836ec0774c Mon Sep 17 00:00:00 2001 From: Mohan <86064887+binarybaron@users.noreply.github.com> Date: Thu, 12 Jun 2025 11:00:57 +0200 Subject: [PATCH] docs: add Tauri signature verification guide (#396) * docs: add Tauri signature verification guide * fix --- CHANGELOG.md | 2 + docs/pages/getting_started/_meta.json | 3 +- .../verify_tauri_signature.mdx | 72 +++++++++++++++++++ 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 docs/pages/getting_started/verify_tauri_signature.mdx diff --git a/CHANGELOG.md b/CHANGELOG.md index fb5d82fa..ec932637 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +- docs: add instructions for verifying Tauri signature files + ## [2.0.0-beta.2] - 2025-06-11 ## [2.0.0-beta.1] - 2025-06-11 diff --git a/docs/pages/getting_started/_meta.json b/docs/pages/getting_started/_meta.json index 7446d797..555a344e 100644 --- a/docs/pages/getting_started/_meta.json +++ b/docs/pages/getting_started/_meta.json @@ -1,3 +1,4 @@ { - "install_instructions": "Installation" + "install_instructions": "Installation", + "verify_tauri_signature": "Verify Signatures" } diff --git a/docs/pages/getting_started/verify_tauri_signature.mdx b/docs/pages/getting_started/verify_tauri_signature.mdx new file mode 100644 index 00000000..f85ae634 --- /dev/null +++ b/docs/pages/getting_started/verify_tauri_signature.mdx @@ -0,0 +1,72 @@ +# Verifying the signature of the GUI + +Verifying downloads is a good habit. The signature files that accompany our GUI binaries are wrapped in an additional `base64` layer. This guide shows how to decode that wrapper and then verify the Minisign file. + +## Prerequisites + +| Tool | Purpose | Install (cmd examples) | +| --- | --- | --- | +| **minisign** | Signature verification | `brew install minisign` or `apt install minisign` | +| **base64** | Decode a double-encoded sig | Comes with most Unix systems | + +## Files involved + +```text +UnstoppableSwap_2.0.0-beta.2_amd64.AppImage # the binary you will verify +UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.sig # contains a base64 encoded signature +``` + +## Step-by-step + +1. **Decode base64**: + + ```bash + base64 -D -i UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.sig \ + > UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.minisig + ``` + + The new file will start with the classic two-line Minisign header: + + ``` + untrusted comment: signature from tauri secret key + RURc8dYGEB0I… + trusted comment: timestamp:1749671728 file:UnstoppableSwap_2.0.0-beta.2_amd64.AppImage + 4LKsm8VRcErR… + ``` + +2. **Grab the public key** (two options): + + *From code:* `tauri.conf.json → plugins.updater.pubkey` + + ```bash + # prints raw 56-byte key + jq -r '.plugins.updater.pubkey' src-tauri/tauri.conf.json | base64 -D + ``` + + *or* copy the key from below: + + ```text + RWRc8dYGEB0Ipl37n2fWnO3gtVgUoPkY6XUS0C1ppRsgRUYsmSGtcECA + ``` + +4. **Verify the signature**: + + ```bash + minisign -Vm UnstoppableSwap_2.0.0-beta.2_amd64.AppImage \ + -x UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.minisig \ + -P RWRc8dYGEB0Ipl37n2fWnO3gtVgUoPkY6XUS0C1ppRsgRUYsmSGtcECA + ``` + + Expected output: + + ``` + Signature and comment signature verified + Trusted comment: timestamp:1749671728 file:UnstoppableSwap_2.0.0-beta.2_amd64.AppImage + ``` + +## Troubleshooting cheatsheet + +| Symptom | Likely cause | Fix | +| --- | --- | --- | +| `Untrusted signature comment too long` | Fed Minisign the *outer* base64 file | Decode the `.sig` first (Step 1) | +| `Signature mismatch` | Wrong public key | Re-extract the key from `tauri.conf.json` and make sure there’s no extra whitespace |