83b586f6f6
- Always use --account VibeTunnel for Sparkle signing - Add automatic DMG volume cleanup to prevent resource errors - Better handling of CHANGELOG.md location (check both mac/ and root) - Add comprehensive RELEASE-LESSONS.md with all gotchas - Add signature verification step to release process - Improve error messages and debugging output - Pass SPARKLE_ACCOUNT environment variable through scripts
6.1 KiB
VibeTunnel Release Lessons Learned
This document captures important lessons learned from the VibeTunnel release process and common issues that can occur.
Critical Issues and Solutions
1. Sparkle Signing Account Issues
Problem: The sign_update command may use the wrong signing key from your Keychain if you have multiple EdDSA keys configured.
Symptoms:
- Sparkle update verification fails
- Error messages about invalid signatures
- Updates don't appear in the app even though appcast is updated
Solution:
# Always specify the account explicitly
export SPARKLE_ACCOUNT="VibeTunnel"
./scripts/release.sh stable
Prevention: The release script now sets SPARKLE_ACCOUNT environment variable automatically.
2. File Location Confusion
Problem: Files are not always where scripts expect them to be.
Key Locations:
- Appcast files: Located in project root (
/vibetunnel/), NOT inmac/appcast.xmlappcast-prerelease.xml
- CHANGELOG.md: Can be in either:
mac/CHANGELOG.md(preferred by release script)- Project root
/vibetunnel/CHANGELOG.md(common location)
- Sparkle private key: Usually in
mac/private/sparkle_private_key
Solution: The scripts now check multiple locations and provide clear error messages.
3. Stuck DMG Volumes
Problem: "Resource temporarily unavailable" errors when creating DMG.
Symptoms:
hdiutil: create failed - Resource temporarily unavailable- Multiple VibeTunnel volumes visible in Finder
- DMG creation fails repeatedly
Solution:
# Manually unmount all VibeTunnel volumes
for volume in /Volumes/VibeTunnel*; do
hdiutil detach "$volume" -force
done
# Kill any stuck DMG processes
pkill -f "VibeTunnel.*\.dmg"
Prevention: Scripts now clean up volumes automatically before DMG creation.
4. Build Number Already Exists
Problem: Sparkle requires unique build numbers for each release.
Solution:
- Check existing build numbers:
grep -E '<sparkle:version>[0-9]+</sparkle:version>' ../appcast*.xml - Update
mac/VibeTunnel/version.xcconfig:CURRENT_PROJECT_VERSION = <new_unique_number>
5. Notarization Failures
Problem: App notarization fails or takes too long.
Common Causes:
- Missing API credentials
- Network issues
- Apple service outages
- Unsigned frameworks or binaries
Solution:
# Check notarization status
xcrun notarytool history --key-id "$APP_STORE_CONNECT_KEY_ID" \
--key "$APP_STORE_CONNECT_API_KEY_P8" \
--issuer-id "$APP_STORE_CONNECT_ISSUER_ID"
# Get detailed log for failed submission
xcrun notarytool log <submission-id> --key-id ...
6. GitHub Release Already Exists
Problem: Tag or release already exists on GitHub.
Solution: The release script now prompts you to:
- Delete the existing release and tag
- Cancel the release
Prevention: Always pull latest changes before releasing.
Pre-Release Checklist
Before running ./scripts/release.sh:
-
Environment Setup:
# Ensure you're on main branch git checkout main git pull --rebase origin main # Check for uncommitted changes git status # Set environment variables export SPARKLE_ACCOUNT="VibeTunnel" export APP_STORE_CONNECT_API_KEY_P8="..." export APP_STORE_CONNECT_KEY_ID="..." export APP_STORE_CONNECT_ISSUER_ID="..." -
File Verification:
- CHANGELOG.md exists and has entry for new version
- version.xcconfig has unique build number
- Sparkle private key exists at expected location
- No stuck DMG volumes in /Volumes/
-
Clean Build:
./scripts/clean.sh rm -rf ~/Library/Developer/Xcode/DerivedData/VibeTunnel-*
Common Commands
Test Sparkle Signature
# Find sign_update binary
find . -name sign_update -type f
# Test signing with specific account
./path/to/sign_update file.dmg -f private/sparkle_private_key -p --account VibeTunnel
Verify Appcast URLs
# Check that appcast files are accessible
curl -I https://raw.githubusercontent.com/amantus-ai/vibetunnel/main/appcast.xml
curl -I https://raw.githubusercontent.com/amantus-ai/vibetunnel/main/appcast-prerelease.xml
Manual Appcast Generation
# If automatic generation fails
cd mac
export SPARKLE_ACCOUNT="VibeTunnel"
./scripts/generate-appcast.sh
Post-Release Verification
-
Check GitHub Release:
- Verify assets are attached
- Check file sizes match
- Ensure release notes are formatted correctly
-
Test Update in App:
- Install previous version
- Check for updates
- Verify update downloads and installs
- Check signature verification in Console.app
-
Monitor for Issues:
- Watch Console.app for Sparkle errors
- Check GitHub issues for user reports
- Verify download counts on GitHub
Emergency Fixes
If Update Verification Fails
-
Regenerate appcast with correct account:
export SPARKLE_ACCOUNT="VibeTunnel" ./scripts/generate-appcast.sh git add ../appcast*.xml git commit -m "Fix appcast signatures" git push -
Users may need to manually download until appcast propagates
If DMG is Corrupted
- Re-download from GitHub
- Re-sign and re-notarize:
./scripts/sign-and-notarize.sh --sign-and-notarize ./scripts/notarize-dmg.sh build/VibeTunnel-*.dmg - Upload fixed DMG to GitHub release
Key Learnings
- Always use explicit accounts when dealing with signing operations
- Clean up resources (volumes, processes) before operations
- Verify file locations - don't assume standard paths
- Test the full update flow before announcing the release
- Keep credentials secure but easily accessible for scripts
- Document everything - future you will thank present you