Skip to content

Commit

Permalink
feat(cli): allow rotating updater private key (#8059)
Browse files Browse the repository at this point in the history
  • Loading branch information
lucasfernog authored Oct 19, 2023
1 parent 2da043f commit 9bead42
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 9 deletions.
6 changes: 6 additions & 0 deletions .changes/allow-updater-key-rotation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
"@tauri-apps/cli": patch:enhance
"tauri-cli": patch:enhance
---

Allow rotating the updater private key.
3 changes: 2 additions & 1 deletion .github/workflows/test-core.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ jobs:
cargo update -p system-deps:6.1.2 --precise 6.1.1
cargo update -p toml:0.7.8 --precise 0.7.3
cargo update -p toml_edit:0.19.15 --precise 0.19.8
cargo update -p embed-resource --precise 2.3.0
cargo update -p toml_datetime --precise 0.6.1
cargo update -p serde_spanned --precise 0.6.1
cargo update -p winnow --precise 0.4.1
Expand All @@ -100,7 +101,7 @@ jobs:
cargo update -p is-terminal --precise 0.4.7
cargo update -p colored --precise 2.0.2
cargo update -p tempfile --precise 3.6.0
cargo update -p serde_with:3.3.0 --precise 3.0.0
cargo update -p serde_with:3.4.0 --precise 3.0.0
cargo update -p tokio --precise 1.29.0
cargo update -p flate2 --precise 1.0.26
cargo update -p h2 --precise 0.3.20
Expand Down
2 changes: 1 addition & 1 deletion core/tests/app-updater/tauri.conf.json
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"updater": {
"active": true,
"dialog": false,
"pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDE5QzMxNjYwNTM5OEUwNTgKUldSWTRKaFRZQmJER1h4d1ZMYVA3dnluSjdpN2RmMldJR09hUFFlZDY0SlFqckkvRUJhZDJVZXAK",
"pubkey": "dummy",
"endpoints": ["http://localhost:3007"],
"windows": {
"installMode": "quiet"
Expand Down
33 changes: 31 additions & 2 deletions core/tests/app-updater/tests/update.rs
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,30 @@ use std::{
use serde::Serialize;

const UPDATER_PRIVATE_KEY: &str = "dW50cnVzdGVkIGNvbW1lbnQ6IHJzaWduIGVuY3J5cHRlZCBzZWNyZXQga2V5ClJXUlRZMEl5YTBGV3JiTy9lRDZVd3NkL0RoQ1htZmExNDd3RmJaNmRMT1ZGVjczWTBKZ0FBQkFBQUFBQUFBQUFBQUlBQUFBQWdMekUzVkE4K0tWQ1hjeGt1Vkx2QnRUR3pzQjVuV0ZpM2czWXNkRm9hVUxrVnB6TUN3K1NheHJMREhQbUVWVFZRK3NIL1VsMDBHNW5ET1EzQno0UStSb21nRW4vZlpTaXIwZFh5ZmRlL1lSN0dKcHdyOUVPclVvdzFhVkxDVnZrbHM2T1o4Tk1NWEU9Cg==";
// const UPDATER_PUBLIC_KEY: &str = "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDE5QzMxNjYwNTM5OEUwNTgKUldSWTRKaFRZQmJER1h4d1ZMYVA3dnluSjdpN2RmMldJR09hUFFlZDY0SlFqckkvRUJhZDJVZXAK";

const UPDATER_PRIVATE_KEY_NEXT: &str = "dW50cnVzdGVkIGNvbW1lbnQ6IHJzaWduIGVuY3J5cHRlZCBzZWNyZXQga2V5ClJXUlRZMEl5Vm1kaFhCeEh0N2svRy85djJQbmNGTnk3TUQ1emJRWTF3Y01INW9OZjJwSUFBQkFBQUFBQUFBQUFBQUlBQUFBQS9YRStJU1RjK1JmUS9QK0F3WmdaMFE0RmUrcVY1RXhkL0VaYVZEeTVDNHREWnE2Y21yTVZCcW0rM1lKOUVLd1p1MWVPVFN5WmZBZEUxYnVtT3BnWW93TDZZRnYra1FUblFXazBVempRUFZOTnFRSjdod05LMjhvK3M0VGhoR0V4YWkzWUpOQXBIcEU9Cg==";
const UPDATER_PUBLIC_KEY_NEXT: &str = "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDE3RjlEQzI0MjEzRTcxRkQKUldUOWNUNGhKTno1RjZtKzNZSjlFS3dadTFlT1RTeVpmQWRFMWJ1bU9wZ1lvd0w2WUZ2K2tRVG4K";

#[derive(Serialize)]
struct PackageConfig {
version: &'static str,
}

#[derive(Serialize)]
struct UpdaterConfig {
pubkey: &'static str,
}

#[derive(Serialize)]
struct TauriConfig {
updater: UpdaterConfig,
}

#[derive(Serialize)]
struct Config {
package: PackageConfig,
tauri: TauriConfig,
}

#[derive(Serialize)]
Expand Down Expand Up @@ -57,6 +72,7 @@ fn get_cli_bin_path(cli_dir: &Path, debug: bool) -> Option<PathBuf> {
fn build_app(
cli_bin_path: &Path,
cwd: &Path,
envs: Vec<(&str, &str)>,
config: &Config,
bundle_updater: bool,
target: BundleTarget,
Expand All @@ -78,7 +94,7 @@ fn build_app(
command.args(["--bundles", "msi", "nsis"]);

command
.env("TAURI_PRIVATE_KEY", UPDATER_PRIVATE_KEY)
.envs(envs)
.env("TAURI_KEY_PASSWORD", "")
.args(["--bundles", "updater"]);
} else {
Expand Down Expand Up @@ -197,12 +213,18 @@ fn update_app() {

let mut config = Config {
package: PackageConfig { version: "1.0.0" },
tauri: TauriConfig {
updater: UpdaterConfig {
pubkey: UPDATER_PUBLIC_KEY_NEXT,
},
},
};

// bundle app update
build_app(
&cli_bin_path,
&manifest_dir,
vec![("TAURI_PRIVATE_KEY", UPDATER_PRIVATE_KEY_NEXT)],
&config,
true,
Default::default(),
Expand Down Expand Up @@ -285,7 +307,14 @@ fn update_app() {
config.package.version = "0.1.0";

// bundle initial app version
build_app(&cli_bin_path, &manifest_dir, &config, false, bundle_target);
build_app(
&cli_bin_path,
&manifest_dir,
vec![("TAURI_PRIVATE_KEY", UPDATER_PRIVATE_KEY)],
&config,
false,
bundle_target,
);

let mut binary_cmd = if cfg!(windows) {
Command::new(root_dir.join("target/debug/app-updater.exe"))
Expand Down
14 changes: 12 additions & 2 deletions tooling/cli/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions tooling/cli/src/build.rs
Original file line number Diff line number Diff line change
Expand Up @@ -320,9 +320,9 @@ pub fn command(mut options: Options, verbosity: u8) -> Result<()> {
// sign our path from environment variables
let (signature_path, signature) = sign_file(&secret_key, path)?;
if signature.keynum() != public_key.keynum() {
return Err(anyhow::anyhow!(
"The updater secret key from `TAURI_PRIVATE_KEY` does not match the public key defined in `tauri.conf.json > tauri > updater > pubkey`."
));
log::warn!(
"The updater secret key from `TAURI_PRIVATE_KEY` does not match the public key defined in `tauri.conf.json > tauri > updater > pubkey`. If you are not rotating keys, this means your configuration is wrong and won't be accepted at runtime."
);
}
signed_paths.push(signature_path);
}
Expand Down

0 comments on commit 9bead42

Please sign in to comment.