Codex fixes.

nedtwigg · nedtwigg · commit 2019cd5848b5 · 2026-04-10T18:24:25.000-07:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -75,17 +75,6 @@ jobs:
              standalone/src-tauri/target/${{ matrix.target }}/release/nsis/x64/plugins/
         shell: bash
 
-      - name: Stage updater bundles
-        run: |
-          dest="standalone/src-tauri/target/${{ matrix.target }}/release/updater-bundles"
-          mkdir -p "$dest"
-          find standalone/src-tauri/target/${{ matrix.target }}/release/bundle \
-            \( -name "*.tar.gz" -o -name "*.tar.gz.sig" -o -name "*.nsis.zip" -o -name "*.nsis.zip.sig" \) \
-            -exec cp {} "$dest/" \;
-          echo "Staged updater bundles:"
-          ls -la "$dest/" 2>/dev/null || echo "(empty)"
-        shell: bash
-
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -97,7 +86,6 @@ jobs:
             standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.dmg
             standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.app
             standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.AppImage
-            standalone/src-tauri/target/${{ matrix.target }}/release/updater-bundles/*
             standalone/src-tauri/target/${{ matrix.target }}/release/bundle/nsis/**
             standalone/src-tauri/target/${{ matrix.target }}/release/nsis/**
             standalone/sidecar/**
diff --git a/docs/specs/deploy.md b/docs/specs/deploy.md
@@ -7,9 +7,9 @@ Every release produces three artifact groups under one version and changelog:
 | Artifact | Format | Destination |
 |----------|--------|-------------|
 | VSCode extension | `.vsix` | VS Code Marketplace + OpenVSX |
-| Standalone (Windows) | `.nsis.zip` (contains NSIS installer) | GitHub Release + Tauri updater |
+| Standalone (Windows) | `.exe` (NSIS installer) | GitHub Release + Tauri updater |
 | Standalone (macOS, Apple Silicon) | `.tar.gz` (contains signed `.app`) | GitHub Release + Tauri updater |
-| Standalone (Linux) | `.AppImage.tar.gz` (contains AppImage) | GitHub Release + Tauri updater |
+| Standalone (Linux) | `.AppImage` | GitHub Release + Tauri updater |
 
 ## Release checklist
 
@@ -34,7 +34,7 @@ Human-driven steps, in order:
 9. **Verify the release**
    - Check GitHub Release assets are correct
    - On a Mac: extract the `.tar.gz`, open the `.app`, confirm no Gatekeeper warnings
-   - On Windows: extract the `.nsis.zip`, run the installer, confirm no SmartScreen warnings
+   - On Windows: run the `.exe` installer, confirm no SmartScreen warnings
    - Confirm Tauri auto-updater picks up the new version (test from a previous version)
    - Confirm VSCode extension is live on Marketplace and OpenVSX
 
@@ -158,13 +158,13 @@ There are two independent signing layers. OS signing proves the executable is fr
 | Layer | What it signs | Who verifies | What happens without it |
 |-------|--------------|--------------|------------------------|
 | OS (codesign / jsign) | The executable (`.app` / `.exe`) | The OS, on launch | Gatekeeper / SmartScreen warnings |
-| Tauri updater (ed25519) | The update bundle (`.tar.gz` / `.nsis.zip`) | The running app, on update | Updater rejects the download |
+| Tauri updater (ed25519) | The update bundle (`.tar.gz` / `.exe` / `.AppImage`) | The running app, on update | Updater rejects the download |
 
 **Order matters:** OS-sign the inner executable first, then package it into the update bundle, then Tauri-sign the bundle. The `.sig` file is generated from the final bundle that already contains the OS-signed binary.
 
 ```
 codesign/jsign the executable
-  → package into update bundle (.tar.gz / .nsis.zip)
+  → package into update bundle (.tar.gz for macOS; installer/AppImage directly on Windows/Linux)
     → Tauri-sign the bundle → produces .sig file
       → upload bundle + .sig to GitHub Release
 ```
@@ -186,14 +186,15 @@ codesign/jsign the executable
 4. **Sign Windows** (OS layer)
    - Sign the inner exe: `jsign --storetype PIV --storepass "$PIN" --alias AUTHENTICATION --tsaurl http://ts.ssl.com --tsmode RFC3161 MouseTerm.exe`
    - Rebuild the NSIS installer around the signed exe
-   - Sign the installer exe: `jsign ... MouseTerm-windows-x64.exe`
+   - Sign the installer exe: `jsign ... MouseTerm-windows-x64-setup.exe`
 5. **Sign update bundles** (Tauri layer)
-   - Tauri-sign each update bundle (the `.tar.gz` and `.nsis.zip` from steps 3-4) using `TAURI_SIGNING_PRIVATE_KEY`
+   - Tauri-sign each update bundle using `TAURI_SIGNING_PRIVATE_KEY`
+   - Current Tauri v2 output mode (`createUpdaterArtifacts: true`) uses the NSIS installer `.exe` directly on Windows and the `.AppImage` directly on Linux
    - This produces a `.sig` file per bundle
    - Build the update manifest JSON (see below) with the `.sig` contents inline
 6. **Create GitHub Release**
    - `gh release create v0.1.0 --title "v0.1.0" --notes-file CHANGELOG.md`
-   - Upload: update bundles (`.tar.gz`, `.nsis.zip`, `.AppImage.tar.gz`)
+   - Upload: update bundles (`.tar.gz`, `.exe`, `.AppImage`)
 7. **Verify** — spot-check signatures, confirm release assets are correct
 
 ### Resuming after failure
@@ -202,6 +203,7 @@ codesign/jsign the executable
 ./scripts/sign-and-deploy.sh resume 0.1.0  # re-download + sign + release
 ./scripts/sign-and-deploy.sh sign-mac       # re-sign macOS only
 ./scripts/sign-and-deploy.sh sign-win       # re-sign Windows only
+./scripts/sign-and-deploy.sh sign-updates 0.1.0  # regenerate updater signatures from existing signed work
 ./scripts/sign-and-deploy.sh release 0.1.0  # re-create GitHub Release only
 ```
 
@@ -211,18 +213,18 @@ All release assets use **stable filenames** (no version in the name). This allow
 
 | Asset | Filename | Purpose |
 |-------|----------|---------|
-| Windows | `MouseTerm-windows-x64.nsis.zip` | Download + Tauri updater |
+| Windows | `MouseTerm-windows-x64-setup.exe` | Download + Tauri updater |
 | macOS | `MouseTerm-macos-aarch64.tar.gz` | Download + Tauri updater |
-| Linux | `MouseTerm-linux-x86_64.AppImage.tar.gz` | Download + Tauri updater |
+| Linux | `MouseTerm-linux-x86_64.AppImage` | Download + Tauri updater |
 
 ### Download hotlinks
 
 The mouseterm.com download page can link directly to the latest release with no server-side logic:
 
 ```
-https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-windows-x64.nsis.zip
+https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-windows-x64-setup.exe
 https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-macos-aarch64.tar.gz
-https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-linux-x86_64.AppImage.tar.gz
+https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-linux-x86_64.AppImage
 ```
 
 These can later be migrated to `mouseterm.com/download/...` URLs backed by Cloudflare R2 (for analytics) without changing anything in the app — only the website links and the updater endpoint URL in `tauri.conf.json` would change.
@@ -249,6 +251,8 @@ In `standalone/src-tauri/tauri.conf.json`:
 }
 ```
 
+`createUpdaterArtifacts: true` is the Tauri v2 artifact mode. In this mode Windows updates use the NSIS installer `.exe` directly, Linux updates use the `.AppImage` directly, and macOS updates use the `.app.tar.gz` archive. Do not configure `"v1Compatible"` unless intentionally producing legacy `.nsis.zip` and `.AppImage.tar.gz` updater bundles for old Tauri v1 clients.
+
 And in the Rust app bootstrap (`standalone/src-tauri/src/lib.rs`), the updater plugin is registered with:
 
 ```rust
@@ -268,15 +272,15 @@ Generated by the local script after signing. The script writes it to `website/pu
   "pub_date": "2026-03-25T12:00:00Z",
   "platforms": {
     "windows-x86_64": {
-      "url": "https://github.com/diffplug/mouseterm/releases/download/v0.1.0/MouseTerm-windows-x64.nsis.zip",
+      "url": "https://github.com/diffplug/mouseterm/releases/download/v0.1.0/MouseTerm-windows-x64-setup.exe",
       "signature": "<contents of .sig file>"
     },
     "darwin-aarch64": {
       "url": "https://github.com/diffplug/mouseterm/releases/download/v0.1.0/MouseTerm-macos-aarch64.tar.gz",
       "signature": "<contents of .sig file>"
     },
     "linux-x86_64": {
-      "url": "https://github.com/diffplug/mouseterm/releases/download/v0.1.0/MouseTerm-linux-x86_64.AppImage.tar.gz",
+      "url": "https://github.com/diffplug/mouseterm/releases/download/v0.1.0/MouseTerm-linux-x86_64.AppImage",
       "signature": "<contents of .sig file>"
     }
   }
diff --git a/scripts/sign-and-deploy.sh b/scripts/sign-and-deploy.sh
@@ -46,9 +46,9 @@ TSA_URL="http://ts.ssl.com"
 GITHUB_REPO="diffplug/mouseterm"
 
 # Stable filenames for release assets (update bundles only)
-FNAME_WIN="MouseTerm-windows-x64.nsis.zip"
+FNAME_WIN="MouseTerm-windows-x64-setup.exe"
 FNAME_MAC="MouseTerm-macos-aarch64.tar.gz"
-FNAME_LINUX="MouseTerm-linux-x86_64.AppImage.tar.gz"
+FNAME_LINUX="MouseTerm-linux-x86_64.AppImage"
 
 # =============================================================================
 # Helper Functions
@@ -507,39 +507,33 @@ sign_updates() {
     prompt_secret_multiline TAURI_SIGNING_PRIVATE_KEY "Enter Tauri signing private key"
 
     local release_dir="$WORK_DIR/release-assets"
+    rm -rf "$release_dir"
     mkdir -p "$release_dir"
 
     # Collect update bundles with stable filenames
     # macOS .tar.gz (created by notarize step from signed+notarized .app)
-    [[ -f "$SIGN_DIR/$FNAME_MAC" ]] && cp "$SIGN_DIR/$FNAME_MAC" "$release_dir/"
-
-    # Windows NSIS zip — rebuild with signed installer
-    local win_nsis
-    win_nsis=$(find "$SIGN_DIR/standalone-win-x64" -path "*/updater-bundles/*.nsis.zip" -o -name "*.nsis.zip" | head -1)
-    if [[ -n "$win_nsis" ]]; then
-        log "Rebuilding NSIS zip with signed installer..."
-        local signed_installer="$SIGN_DIR/standalone-win-x64/bundle/nsis/"
-        local nsis_tmp="$SIGN_DIR/nsis-repack"
-        mkdir -p "$nsis_tmp"
-        unzip -o "$win_nsis" -d "$nsis_tmp"
-        # Find the signed installer and replace the one in the zip
-        local signed_setup
-        signed_setup=$(find "$SIGN_DIR/standalone-win-x64" -name "*setup*.exe" | head -1)
-        if [[ -n "$signed_setup" ]]; then
-            local inner_setup
-            inner_setup=$(find "$nsis_tmp" -name "*setup*.exe" | head -1)
-            if [[ -n "$inner_setup" ]]; then
-                cp "$signed_setup" "$inner_setup"
-            fi
-        fi
-        (cd "$nsis_tmp" && zip -r "$release_dir/$FNAME_WIN" .)
-        rm -rf "$nsis_tmp"
-    fi
-
-    # Linux AppImage.tar.gz
+    [[ -f "$SIGN_DIR/$FNAME_MAC" ]] || error "macOS update bundle not found at $SIGN_DIR/$FNAME_MAC. Run signing and notarization first."
+    cp "$SIGN_DIR/$FNAME_MAC" "$release_dir/"
+
+    # Windows NSIS installer. With Tauri v2 createUpdaterArtifacts=true,
+    # the installer itself is the updater bundle; there is no .nsis.zip.
+    local signed_setup
+    signed_setup=$(find "$SIGN_DIR/standalone-win-x64" \
+        -path "*/release/bundle/nsis/*setup*.exe" \
+        -type f \
+        | head -1)
+    [[ -n "$signed_setup" ]] || error "Windows NSIS installer not found. Run Windows signing first."
+    cp "$signed_setup" "$release_dir/$FNAME_WIN"
+
+    # Linux AppImage. With Tauri v2 createUpdaterArtifacts=true,
+    # the AppImage itself is the updater bundle; there is no .AppImage.tar.gz.
     local linux_update
-    linux_update=$(find "$SIGN_DIR/standalone-linux-x64" -path "*/updater-bundles/*.AppImage.tar.gz" -o -name "*.AppImage.tar.gz" | head -1)
-    [[ -n "$linux_update" ]] && cp "$linux_update" "$release_dir/$FNAME_LINUX"
+    linux_update=$(find "$SIGN_DIR/standalone-linux-x64" \
+        -path "*/release/bundle/appimage/*.AppImage" \
+        -type f \
+        | head -1)
+    [[ -n "$linux_update" ]] || error "Linux AppImage not found in signed work directory."
+    cp "$linux_update" "$release_dir/$FNAME_LINUX"
 
     # Generate .sig files for update bundles using Tauri CLI
     for bundle in "$release_dir/$FNAME_MAC" \
@@ -567,6 +561,10 @@ sign_updates() {
     [[ -f "$release_dir/$FNAME_WIN.sig" ]] && { sig_win=$(cat "$release_dir/$FNAME_WIN.sig"); rm "$release_dir/$FNAME_WIN.sig"; }
     [[ -f "$release_dir/$FNAME_LINUX.sig" ]] && { sig_linux=$(cat "$release_dir/$FNAME_LINUX.sig"); rm "$release_dir/$FNAME_LINUX.sig"; }
 
+    [[ -n "$sig_mac" ]] || error "Missing Tauri signature for $FNAME_MAC"
+    [[ -n "$sig_win" ]] || error "Missing Tauri signature for $FNAME_WIN"
+    [[ -n "$sig_linux" ]] || error "Missing Tauri signature for $FNAME_LINUX"
+
     local website_manifest="$REPO_ROOT/website/public/standalone-latest.json"
     cat > "$website_manifest" <<EOF
 {
@@ -609,6 +607,9 @@ create_release() {
     check_command gh "brew install gh && gh auth login"
 
     [[ -d "$release_dir" ]] || error "Release assets not found at $release_dir. Run signing steps first."
+    for asset in "$FNAME_MAC" "$FNAME_WIN" "$FNAME_LINUX"; do
+        [[ -f "$release_dir/$asset" ]] || error "Release asset missing: $release_dir/$asset. Run sign-updates first."
+    done
 
     # Extract changelog for this version
     local notes_file="$WORK_DIR/release-notes.md"
@@ -660,7 +661,7 @@ Commands:
     sign-mac            Re-sign macOS app bundles
     notarize            Re-notarize macOS apps
     sign-win            Re-sign Windows executable
-    sign-updates VER    Re-generate Tauri update signatures and manifest
+    sign-updates VER    Re-generate Tauri update signatures and manifest from existing signed work
     release VERSION     Re-create GitHub Release from existing signed assets
 
 Environment Variables:
@@ -673,6 +674,7 @@ Examples:
     $(basename "$0") all 0.1.0       # Full pipeline
     $(basename "$0") resume 0.1.0    # Resume after CI completed
     $(basename "$0") sign-mac        # Re-sign macOS only
+    $(basename "$0") sign-updates 0.1.0 # Re-sign update bundles only
     $(basename "$0") release 0.1.0   # Re-create GitHub Release
 EOF
 }
@@ -730,7 +732,7 @@ main() {
         sign-updates)
             local version="${2:-}"
             [[ -z "$version" ]] && error "Usage: $(basename "$0") sign-updates <version>"
-            prepare_sign_dir
+            [[ -d "$SIGN_DIR" ]] || error "Signed work directory not found at $SIGN_DIR. Run all/resume first."
             sign_updates "$version"
             ;;
         release)
