Git-Mirrors/xmr-btc-swap
1
0
Fork 0
mirror of https://github.com/comit-network/xmr-btc-swap.git synced 2025-11-22 00:51:06 -05:00
Code Issues Projects Releases Packages Wiki Activity
xmr-btc-swap/docs/pages/getting_started/verify_tauri_signature.mdx
Mohan 835552c834
docs: add Tauri signature verification guide (#396) 
* docs: add Tauri signature verification guide

* fix
2025-06-12 11:00:57 +02:00

72 lines
2.2 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Verifying the signature of the GUI
Verifying downloads is a good habit. The signature files that accompany our GUI binaries are wrapped in an additional `base64` layer. This guide shows how to decode that wrapper and then verify the Minisign file.
## Prerequisites
| Tool | Purpose | Install (cmd examples) |
| --- | --- | --- |
| **minisign** | Signature verification | `brew install minisign` or `apt install minisign` |
| **base64** | Decode a double-encoded sig | Comes with most Unix systems |
## Files involved
```text
UnstoppableSwap_2.0.0-beta.2_amd64.AppImage # the binary you will verify
UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.sig # contains a base64 encoded signature
```
## Step-by-step
1. **Decode base64**:
```bash
base64 -D -i UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.sig \
> UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.minisig
```
The new file will start with the classic two-line Minisign header:
```
untrusted comment: signature from tauri secret key
RURc8dYGEB0I…
trusted comment: timestamp:1749671728 file:UnstoppableSwap_2.0.0-beta.2_amd64.AppImage
4LKsm8VRcErR…
```
2. **Grab the public key** (two options):
*From code:* `tauri.conf.json → plugins.updater.pubkey`
```bash
# prints raw 56-byte key
jq -r '.plugins.updater.pubkey' src-tauri/tauri.conf.json | base64 -D
```
*or* copy the key from below:
```text
RWRc8dYGEB0Ipl37n2fWnO3gtVgUoPkY6XUS0C1ppRsgRUYsmSGtcECA
```
4. **Verify the signature**:
```bash
minisign -Vm UnstoppableSwap_2.0.0-beta.2_amd64.AppImage \
-x UnstoppableSwap_2.0.0-beta.2_amd64.AppImage.minisig \
-P RWRc8dYGEB0Ipl37n2fWnO3gtVgUoPkY6XUS0C1ppRsgRUYsmSGtcECA
```
Expected output:
```
Signature and comment signature verified
Trusted comment: timestamp:1749671728 file:UnstoppableSwap_2.0.0-beta.2_amd64.AppImage
```
## Troubleshooting cheatsheet
| Symptom | Likely cause | Fix |
| --- | --- | --- |
| `Untrusted signature comment too long` | Fed Minisign the *outer* base64 file | Decode the `.sig` first (Step 1) |
| `Signature mismatch` | Wrong public key | Re-extract the key from `tauri.conf.json` and make sure theres no extra whitespace |
Reference in a new issue View git blame Copy permalink