From 65a34be39f21e42f3be4310403f5c7e38f083487 Mon Sep 17 00:00:00 2001 From: Steven Enamakel Date: Fri, 24 Apr 2026 21:15:36 -0700 Subject: [PATCH] chore(updater): rotate pubkey to 7494D291DAB5B3E1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous pubkey 7C43D797C5B7C047 corresponds to a private key whose passphrase has been lost — releases signed with it would be unverifiable in CI and locally. The new pubkey 7494D291DAB5B3E1 matches the working signing key, so signed updater artifacts can actually be produced going forward. The updater plugin is still inactive on main (`plugins.updater.active` is false until the plugin-wiring PR lands), so this rotation has no runtime effect today — it just sets the canonical pubkey for the first build that turns the updater on. Backwards-compat: any release previously signed with the 7C43 key will no longer validate against builds carrying this pubkey. Per the wiring PR's notes, no installs in the wild today have the updater plugin compiled in, so nothing existing would have validated regardless — net compatibility cost is zero. Action item for repo owner: ensure the GitHub Actions secret `TAURI_SIGNING_PRIVATE_KEY` (or legacy fallback `UPDATER_PRIVATE_KEY`) holds the matching private key contents, and that `TAURI_SIGNING_PRIVATE_KEY_PASSWORD` (or `UPDATER_PRIVATE_KEY_PASSWORD`) is the correct passphrase. --- app/src-tauri/tauri.conf.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/src-tauri/tauri.conf.json b/app/src-tauri/tauri.conf.json index 2a5e3ca9a1..b05cfaf846 100644 --- a/app/src-tauri/tauri.conf.json +++ b/app/src-tauri/tauri.conf.json @@ -75,7 +75,7 @@ "plugins": { "updater": { "active": false, - "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDdDNDNENzk3QzVCN0MwNDcKUldSSHdMZkZsOWREZkpicit5c2ZWTDJtcDVhT25WMXkzbUJqcW5ucVBDdU1kN29GbUwwRDFkTkoK", + "pubkey": "dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDc0OTREMjkxREFCNUIzRTEKUldUaHM3WGFrZEtVZEJzZWtMTlc5dGxnT0R2Q3hUTWVaclJWSm9JUFpPcVFUV2RBSG5oNFN6UjQK", "endpoints": [ "https://github.com/tinyhumansai/openhuman/releases/latest/download/latest.json" ]