mirror of
https://github.com/samsonjs/vibetunnel.git
synced 2026-04-27 15:17:38 +00:00
Fix EdDSA signatures with correct private key
- Update generate-appcast.sh to use private key file exclusively - Add validation to ensure private key exists before signing - Regenerate appcast signatures with correct key - Add private/ directory to .gitignore for security
This commit is contained in:
Peter Steinberger
parent
585a593ecc
commit
b2b340fd1e
3 changed files with 32 additions and 28 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
|
@ -102,3 +102,6 @@ default.profdata
|
|||
# Tuist generated files
|
||||
Derived/
|
||||
Workspace.xcworkspace/
|
||||
|
||||
# Sparkle private keys - NEVER commit these
|
||||
private/
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@
|
|||
url="https://github.com/amantus-ai/vibetunnel/releases/download/v1.0.0-beta.2/VibeTunnel-1.0.0-beta.2.dmg"
|
||||
length="22201465"
|
||||
type="application/octet-stream"
|
||||
sparkle:edSignature="TNrYDY8jH9PyJb3lRqvARthil/B5NfEC7RRB/s/Q5SARkgDZrKWSYHjKcbFnlHX6qDF1MdSx8czUN05bALGeDg=="
|
||||
sparkle:edSignature="VuOks4uaCl1UNuz+229Pqn4sXmLYU3+Jp2tWGyHzVGUei3bPuyXX9OD+p2vxrCKJSn/XqJbWp03c6dKd384PBw=="
|
||||
/>
|
||||
<sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
|
||||
</item>
|
||||
|
|
@ -53,7 +53,7 @@
|
|||
url="https://github.com/amantus-ai/vibetunnel/releases/download/v1.0-beta.1/VibeTunnel-1.0-beta.1.dmg"
|
||||
length="17928597"
|
||||
type="application/octet-stream"
|
||||
sparkle:edSignature="lm3eCKxuykGYj1oRG3uRm3QB+3azo7EGGeuP2SzZHsobnKGBxq48H21rN9WDi2mry8NbGM9YwjdjfzS56h7GDA=="
|
||||
sparkle:edSignature="9h7sCoJVawjj3PJePiyrIebQDNlMG3Kqp253QcMYdJEnXzWafTYBo5LUPNHosVisPW6dV3Gc0Il5bjGuizLXAw=="
|
||||
/>
|
||||
<sparkle:minimumSystemVersion>15.0</sparkle:minimumSystemVersion>
|
||||
</item>
|
||||
|
|
|
|||
|
|
@ -23,6 +23,14 @@ GITHUB_USERNAME="${GITHUB_USERNAME:-amantus-ai}"
|
|||
GITHUB_REPO="${GITHUB_USERNAME}/${GITHUB_REPO:-vibetunnel}"
|
||||
SPARKLE_PRIVATE_KEY_PATH="private/sparkle_private_key"
|
||||
|
||||
# Verify private key exists
|
||||
if [ ! -f "$SPARKLE_PRIVATE_KEY_PATH" ]; then
|
||||
echo -e "${RED}❌ Error: Sparkle private key not found at $SPARKLE_PRIVATE_KEY_PATH${NC}"
|
||||
echo "This file is required to sign updates for Sparkle."
|
||||
echo "Please ensure the private key is available before running this script."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Colors for output
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
|
|
@ -84,37 +92,30 @@ generate_signature() {
|
|||
return 0
|
||||
fi
|
||||
|
||||
# Try to use sign_update from Keychain first (preferred method)
|
||||
# Find sign_update binary
|
||||
local sign_update_bin=""
|
||||
if command -v sign_update >/dev/null 2>&1; then
|
||||
# First try without -f flag to use Keychain
|
||||
local signature=$(sign_update "$file_path" -p 2>/dev/null)
|
||||
if [ -n "$signature" ] && [ "$signature" != "-----END PRIVATE KEY-----" ]; then
|
||||
echo "$signature"
|
||||
return 0
|
||||
fi
|
||||
|
||||
# If Keychain didn't work and we have a private key file, try that
|
||||
if [ -f "$SPARKLE_PRIVATE_KEY_PATH" ]; then
|
||||
signature=$(sign_update "$file_path" -f "$SPARKLE_PRIVATE_KEY_PATH" -p 2>/dev/null)
|
||||
if [ -n "$signature" ] && [ "$signature" != "-----END PRIVATE KEY-----" ]; then
|
||||
echo "$signature"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
sign_update_bin="sign_update"
|
||||
elif [ -f ".build/artifacts/sparkle/Sparkle/bin/sign_update" ]; then
|
||||
sign_update_bin=".build/artifacts/sparkle/Sparkle/bin/sign_update"
|
||||
elif [ -f "build/SourcePackages/artifacts/sparkle/Sparkle/bin/sign_update" ]; then
|
||||
sign_update_bin="build/SourcePackages/artifacts/sparkle/Sparkle/bin/sign_update"
|
||||
else
|
||||
echo -e "${RED}❌ Error: Could not find sign_update binary${NC}" >&2
|
||||
echo "Please ensure Sparkle is built or sign_update is in PATH" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Try using the bundled tool from Sparkle framework
|
||||
local sign_tool="/Applications/Sparkle Test App.app/Contents/Frameworks/Sparkle.framework/Versions/B/Resources/sign_update"
|
||||
if [ -f "$sign_tool" ]; then
|
||||
local signature=$("$sign_tool" "$file_path" -p 2>/dev/null)
|
||||
if [ -n "$signature" ] && [ "$signature" != "-----END PRIVATE KEY-----" ]; then
|
||||
echo "$signature"
|
||||
return 0
|
||||
fi
|
||||
# Sign using the private key file (no fallback)
|
||||
local signature=$($sign_update_bin "$file_path" -f "$SPARKLE_PRIVATE_KEY_PATH" -p 2>/dev/null)
|
||||
if [ -n "$signature" ] && [ "$signature" != "-----END PRIVATE KEY-----" ]; then
|
||||
echo "$signature"
|
||||
return 0
|
||||
fi
|
||||
|
||||
print_warning "Could not generate signature for $filename"
|
||||
echo ""
|
||||
echo -e "${RED}❌ Error: Failed to generate signature for $filename${NC}" >&2
|
||||
echo "Please ensure the private key at $SPARKLE_PRIVATE_KEY_PATH is valid" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Function to format date for appcast
|
||||
|
|
|
|||
Loading…
Reference in a new issue