<# .SYNOPSIS Generate the ed25519 keypair used to sign the apps manifest and app packages. .DESCRIPTION Produces two files in .\keys\ : manifest-private.pem — KEEP SECRET. Never commit, never put on the server. manifest-public.pem — Safe to commit; goes in src-tauri/src/config.rs. Also prints the raw 32-byte public key as base64 (the value for config.rs). .NOTES Requires OpenSSL 3.x. Install via: winget install ShiningLight.OpenSSL.Light Verify: openssl version #> param( [string]$OutputDir = ".\keys" ) $ErrorActionPreference = "Stop" # ── Locate OpenSSL (probes common Windows install paths if not on PATH) ─────── . "$PSScriptRoot\_openssl.ps1" New-Item -ItemType Directory -Force -Path $OutputDir | Out-Null $privPath = Join-Path $OutputDir "manifest-private.pem" $pubPath = Join-Path $OutputDir "manifest-public.pem" # ── Generate ed25519 keypair ───────────────────────────────────────────────── Write-Host "`nGenerating Ed25519 keypair..." -ForegroundColor Yellow & openssl genpkey -algorithm ed25519 -out $privPath & openssl pkey -in $privPath -pubout -out $pubPath # ── Extract raw 32-byte public key as base64 ───────────────────────────────── # OpenSSL DER-encodes the public key as SubjectPublicKeyInfo (SPKI). # Ed25519 SPKI = 12-byte header + 32-byte raw key = 44 bytes total. # Write to a temp file so we can read the raw bytes. $tempDer = Join-Path $env:TEMP "psg-pubkey-$([System.Guid]::NewGuid()).der" & openssl pkey -in $privPath -pubout -outform DER -out $tempDer $derBytes = [IO.File]::ReadAllBytes($tempDer) Remove-Item $tempDer -Force # Skip the 12-byte SPKI header to get the raw 32-byte key $rawKeyBytes = $derBytes[12..43] $rawKeyB64 = [Convert]::ToBase64String($rawKeyBytes) # ── Output ─────────────────────────────────────────────────────────────────── Write-Host "" Write-Host "Keys written to $OutputDir" -ForegroundColor Green Write-Host " Private : $privPath ← KEEP SECRET, never commit" -ForegroundColor Red Write-Host " Public : $pubPath" Write-Host "" Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow Write-Host "Paste this value into src-tauri/src/config.rs as MANIFEST_PUBLIC_KEY_B64:" -ForegroundColor Yellow Write-Host "" Write-Host " $rawKeyB64" -ForegroundColor Cyan Write-Host "" Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow Write-Host "" Write-Host "Next steps:" Write-Host " 1. Copy the base64 value above into config.rs" Write-Host " 2. Store manifest-private.pem as the Gitea CI secret MANIFEST_SIGNING_KEY" Write-Host " 3. Run 'npm run tauri signer generate' for the Tauri self-updater key" Write-Host " and store that in CI as TAURI_SIGNING_PRIVATE_KEY"