@@ -800,6 +800,44 @@ jobs:
800800 id : timestamp
801801 run : echo "build_time=$(date -u +"%Y-%m-%d %H:%M UTC")" >> $GITHUB_OUTPUT
802802
803+ - name : Verify signing configuration
804+ shell : bash
805+ run : |
806+ echo "🔐 Verifying updater signing configuration..."
807+
808+ # Check if signing keys are available
809+ if [ -z "$TAURI_SIGNING_PRIVATE_KEY" ]; then
810+ echo "⚠️ WARNING: TAURI_SIGNING_PRIVATE_KEY is not set!"
811+ echo "Signature files will NOT be generated."
812+ else
813+ echo "✅ TAURI_SIGNING_PRIVATE_KEY is set (length: ${#TAURI_SIGNING_PRIVATE_KEY})"
814+ fi
815+
816+ if [ -z "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" ]; then
817+ echo "⚠️ WARNING: TAURI_SIGNING_PRIVATE_KEY_PASSWORD is not set!"
818+ else
819+ echo "✅ TAURI_SIGNING_PRIVATE_KEY_PASSWORD is set"
820+ fi
821+
822+ # Verify the key format (should start with "dW50cnVzdGVk" which is base64 for "untrusted")
823+ if [[ "$TAURI_SIGNING_PRIVATE_KEY" == dW50cnVzdGVk* ]]; then
824+ echo "✅ Private key appears to be in correct format (base64-encoded minisign key)"
825+ else
826+ echo "⚠️ WARNING: Private key might not be in the correct format"
827+ echo "Expected: base64-encoded minisign private key starting with 'dW50cnVzdGVk'"
828+ fi
829+
830+ echo ""
831+ echo "📋 Tauri config check:"
832+ if grep -q '"createUpdaterArtifacts": true' src-tauri/tauri.conf.json; then
833+ echo "✅ createUpdaterArtifacts is enabled in tauri.conf.json"
834+ else
835+ echo "❌ createUpdaterArtifacts is NOT enabled!"
836+ fi
837+ env :
838+ TAURI_SIGNING_PRIVATE_KEY : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
839+ TAURI_SIGNING_PRIVATE_KEY_PASSWORD : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
840+
803841 - name : Build Tauri app
804842 id : tauri-build
805843 continue-on-error : true
@@ -870,6 +908,47 @@ jobs:
870908 TAURI_BUNDLE_MACOS_SIGNING_IDENTITY : ${{ secrets.APPLE_SIGNING_IDENTITY }}
871909 CI : true
872910
911+ - name : Verify signature files
912+ if : steps.tauri-build.outputs.build_success == 'true'
913+ shell : bash
914+ run : |
915+ echo "🔍 Checking for generated signature files..."
916+ echo ""
917+
918+ # Find all .sig files in the bundle directory
919+ SIG_FILES=$(find src-tauri/target/*/release/bundle -name "*.sig" 2>/dev/null || true)
920+
921+ if [ -z "$SIG_FILES" ]; then
922+ echo "⚠️ WARNING: No signature files (.sig) found!"
923+ echo ""
924+ echo "This means updater signing did NOT work. Possible causes:"
925+ echo "1. TAURI_SIGNING_PRIVATE_KEY secret is not set or is invalid"
926+ echo "2. TAURI_SIGNING_PRIVATE_KEY_PASSWORD is incorrect"
927+ echo "3. The key format is wrong (must be base64-encoded minisign key)"
928+ echo ""
929+ echo "To generate a new signing key pair, run:"
930+ echo " pnpm tauri signer generate -w ~/.tauri/mpesa2csv.key"
931+ echo ""
932+ echo "Then add these secrets to your GitHub repository:"
933+ echo " TAURI_SIGNING_PRIVATE_KEY: (paste the private key content)"
934+ echo " TAURI_SIGNING_PRIVATE_KEY_PASSWORD: (the password you used)"
935+ echo ""
936+ echo "📂 Bundle directory contents:"
937+ find src-tauri/target/*/release/bundle -type f 2>/dev/null | head -20 || echo "No files found"
938+ else
939+ echo "✅ Signature files found:"
940+ echo "$SIG_FILES" | while read -r file; do
941+ if [ -f "$file" ]; then
942+ SIZE=$(du -h "$file" | cut -f1)
943+ echo " - $file (size: $SIZE)"
944+ echo " Content preview:"
945+ head -3 "$file" | sed 's/^/ /'
946+ fi
947+ done
948+ echo ""
949+ echo "✅ Updater signing is working correctly!"
950+ fi
951+
873952name : Create GitHub Release
874953 if : steps.tauri-build.outputs.build_success == 'true'
875954 uses : softprops/action-gh-release@v1
0 commit comments