67 lines
3.3 KiB
PowerShell
67 lines
3.3 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Generate the ed25519 keypair used to sign the apps manifest and app packages.
|
|
|
|
.DESCRIPTION
|
|
Produces two files in .\keys\ :
|
|
manifest-private.pem — KEEP SECRET. Never commit, never put on the server.
|
|
manifest-public.pem — Safe to commit; goes in src-tauri/src/config.rs.
|
|
|
|
Also prints the raw 32-byte public key as base64 (the value for config.rs).
|
|
|
|
.NOTES
|
|
Requires OpenSSL 3.x. Install via: winget install ShiningLight.OpenSSL.Light
|
|
Verify: openssl version
|
|
#>
|
|
|
|
param(
|
|
[string]$OutputDir = ".\keys"
|
|
)
|
|
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
# ── Locate OpenSSL (probes common Windows install paths if not on PATH) ───────
|
|
. "$PSScriptRoot\_openssl.ps1"
|
|
|
|
New-Item -ItemType Directory -Force -Path $OutputDir | Out-Null
|
|
|
|
$privPath = Join-Path $OutputDir "manifest-private.pem"
|
|
$pubPath = Join-Path $OutputDir "manifest-public.pem"
|
|
|
|
# ── Generate ed25519 keypair ─────────────────────────────────────────────────
|
|
Write-Host "`nGenerating Ed25519 keypair..." -ForegroundColor Yellow
|
|
& openssl genpkey -algorithm ed25519 -out $privPath
|
|
& openssl pkey -in $privPath -pubout -out $pubPath
|
|
|
|
# ── Extract raw 32-byte public key as base64 ─────────────────────────────────
|
|
# OpenSSL DER-encodes the public key as SubjectPublicKeyInfo (SPKI).
|
|
# Ed25519 SPKI = 12-byte header + 32-byte raw key = 44 bytes total.
|
|
# Write to a temp file so we can read the raw bytes.
|
|
$tempDer = Join-Path $env:TEMP "psg-pubkey-$([System.Guid]::NewGuid()).der"
|
|
& openssl pkey -in $privPath -pubout -outform DER -out $tempDer
|
|
$derBytes = [IO.File]::ReadAllBytes($tempDer)
|
|
Remove-Item $tempDer -Force
|
|
|
|
# Skip the 12-byte SPKI header to get the raw 32-byte key
|
|
$rawKeyBytes = $derBytes[12..43]
|
|
$rawKeyB64 = [Convert]::ToBase64String($rawKeyBytes)
|
|
|
|
# ── Output ───────────────────────────────────────────────────────────────────
|
|
Write-Host ""
|
|
Write-Host "Keys written to $OutputDir" -ForegroundColor Green
|
|
Write-Host " Private : $privPath ← KEEP SECRET, never commit" -ForegroundColor Red
|
|
Write-Host " Public : $pubPath"
|
|
Write-Host ""
|
|
Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
|
|
Write-Host "Paste this value into src-tauri/src/config.rs as MANIFEST_PUBLIC_KEY_B64:" -ForegroundColor Yellow
|
|
Write-Host ""
|
|
Write-Host " $rawKeyB64" -ForegroundColor Cyan
|
|
Write-Host ""
|
|
Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
|
|
Write-Host ""
|
|
Write-Host "Next steps:"
|
|
Write-Host " 1. Copy the base64 value above into config.rs"
|
|
Write-Host " 2. Store manifest-private.pem as the Gitea CI secret MANIFEST_SIGNING_KEY"
|
|
Write-Host " 3. Run 'npm run tauri signer generate' for the Tauri self-updater key"
|
|
Write-Host " and store that in CI as TAURI_SIGNING_PRIVATE_KEY"
|