feat: enhance Tauri app with server checksum upload and JWT secret management

Author: lcomplete

.github/workflows/release.yml

@@ -142,6 +142,7 @@ jobs:
           mv app/client/build release/huntly-client
           cd release
           zip -r huntly-client-${{ steps.get_version.outputs.version-without-v }}.zip ./huntly-client/*
+          sha256sum huntly-server.jar > huntly-server-${{ steps.get_version.outputs.version-without-v }}.jar.sha256
 
       - name: Upload client-build to release
         id: upload-client-asset
@@ -163,4 +164,15 @@ jobs:
           upload_url: ${{ needs.create-release.outputs.release_upload_url }}
           asset_path: release/huntly-server.jar
           asset_name: huntly-server-${{ steps.get_version.outputs.version-without-v }}.jar
-          asset_content_type: application/java-archive
+          asset_content_type: application/java-archive
+
+      - name: Upload server checksum to release
+        id: upload-server-checksum-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.release_upload_url }}
+          asset_path: release/huntly-server-${{ steps.get_version.outputs.version-without-v }}.jar.sha256
+          asset_name: huntly-server-${{ steps.get_version.outputs.version-without-v }}.jar.sha256
+          asset_content_type: text/plain

.github/workflows/tauri-build.yml

@@ -144,7 +144,7 @@ jobs:
           import os
 
           pubkey = os.environ.get("TAURI_UPDATER_PUBKEY", "")
-          updater = {"active": False} if not pubkey else {"pubkey": pubkey}
+          updater = {"active": False} if not pubkey else {"active": True, "pubkey": pubkey}
           config = {"plugins": {"updater": updater}}
 
           print("TAURI_CONFIG<<EOF")

.github/workflows/tauri-release.yml

@@ -47,7 +47,7 @@ jobs:
       - name: Create Release
         uses: ncipollo/release-action@v1
         with:
-          draft: false
+          draft: true
           name: Desktop ${{ steps.get_version.outputs.version }}
           tag: ${{ steps.get_version.outputs.tag_name }}
           body: "${{ steps.tag.outputs.message }}"
@@ -181,6 +181,44 @@ jobs:
           rm -rf jre11
           jlink --module-path "$JAVA_HOME/jmods" --add-modules java.compiler,java.sql,java.naming,java.management,java.instrument,java.rmi,java.desktop,jdk.internal.vm.compiler.management,java.xml.crypto,java.scripting,java.security.jgss,jdk.httpserver,java.net.http,jdk.naming.dns,jdk.crypto.cryptoki,jdk.unsupported --strip-debug --compress 2 --no-header-files --no-man-pages --output jre11
 
+      - name: Prepare macOS signing credentials
+        if: matrix.platform == 'macos-14'
+        run: |
+          for name in APPLE_CERTIFICATE APPLE_CERTIFICATE_PASSWORD APPLE_SIGNING_IDENTITY APPLE_API_ISSUER APPLE_API_KEY APPLE_API_PRIVATE_KEY; do
+            if [ -z "${!name}" ]; then
+              echo "$name secret is required for macOS desktop releases"
+              exit 1
+            fi
+          done
+          key_path="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY}.p8"
+          printf '%s' "$APPLE_API_PRIVATE_KEY" > "$key_path"
+          echo "APPLE_API_KEY_PATH=$key_path" >> "$GITHUB_ENV"
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_PRIVATE_KEY: ${{ secrets.APPLE_API_PRIVATE_KEY }}
+
+      - name: Import Windows signing certificate
+        if: matrix.platform == 'windows-2022'
+        shell: pwsh
+        run: |
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_CERTIFICATE)) { throw "WINDOWS_CERTIFICATE secret is required for Windows desktop releases" }
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_CERTIFICATE_PASSWORD)) { throw "WINDOWS_CERTIFICATE_PASSWORD secret is required for Windows desktop releases" }
+          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_CERTIFICATE_THUMBPRINT)) { throw "WINDOWS_CERTIFICATE_THUMBPRINT secret is required for Windows desktop releases" }
+          New-Item -ItemType Directory -Force -Path certificate | Out-Null
+          Set-Content -Path certificate/tempCert.txt -Value $env:WINDOWS_CERTIFICATE
+          certutil -decode certificate/tempCert.txt certificate/certificate.pfx
+          Remove-Item certificate/tempCert.txt
+          $securePassword = ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText
+          Import-PfxCertificate -FilePath certificate/certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password $securePassword | Out-Null
+        env:
+          WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
+          WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+          WINDOWS_CERTIFICATE_THUMBPRINT: ${{ secrets.WINDOWS_CERTIFICATE_THUMBPRINT }}
+
       - name: Prepare Tauri release config
         run: |
           python3 - <<'PY' >> "$GITHUB_ENV"
@@ -195,19 +233,45 @@ jobs:
               "version": os.environ["TAURI_VERSION"],
               "plugins": {
                   "updater": {
+                      "active": True,
+                      "dialog": False,
                       "pubkey": pubkey,
                       "endpoints": [os.environ["TAURI_UPDATER_ENDPOINT"]],
                   }
               },
           }
 
+          bundle = {}
+          platform = os.environ["TAURI_BUILD_PLATFORM"]
+          if platform == "macos-14":
+              signing_identity = os.environ.get("APPLE_SIGNING_IDENTITY", "")
+              if not signing_identity:
+                  raise SystemExit("APPLE_SIGNING_IDENTITY secret is required for macOS desktop releases")
+              bundle["macOS"] = {"signingIdentity": signing_identity}
+          elif platform == "windows-2022":
+              certificate_thumbprint = os.environ.get("WINDOWS_CERTIFICATE_THUMBPRINT", "")
+              if not certificate_thumbprint:
+                  raise SystemExit("WINDOWS_CERTIFICATE_THUMBPRINT secret is required for Windows desktop releases")
+              bundle["windows"] = {
+                  "certificateThumbprint": certificate_thumbprint,
+                  "digestAlgorithm": "sha256",
+                  "timestampUrl": os.environ.get("WINDOWS_TIMESTAMP_URL") or "http://timestamp.digicert.com",
+              }
+
+          if bundle:
+              config["bundle"] = bundle
+
           print("TAURI_CONFIG<<EOF")
           print(json.dumps(config))
           print("EOF")
           PY
         env:
           TAURI_VERSION: ${{ needs.create-release.outputs.version }}
+          TAURI_BUILD_PLATFORM: ${{ matrix.platform }}
           TAURI_UPDATER_PUBKEY: ${{ secrets[format('TAURI_{0}', 'UPDATER_PUBKEY')] }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          WINDOWS_CERTIFICATE_THUMBPRINT: ${{ secrets.WINDOWS_CERTIFICATE_THUMBPRINT }}
+          WINDOWS_TIMESTAMP_URL: ${{ secrets.WINDOWS_TIMESTAMP_URL }}
 
       - name: Build the app
         run: |
@@ -216,6 +280,11 @@ jobs:
         env:
           TAURI_SIGNING_PRIVATE_KEY: ${{ secrets[format('TAURI_{0}', 'SIGNING_PRIVATE_KEY')] }}
           TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets[format('TAURI_{0}', 'SIGNING_PRIVATE_KEY_PASSWORD')] }}
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
 
       - name: Collect release artifacts
         run: |
@@ -315,4 +384,11 @@ jobs:
           fi
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
+          GH_REPO: ${{ github.repository }}
+
+      - name: Publish desktop release
+        run: gh release edit "$TAG_NAME" --draft=false
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          TAG_NAME: ${{ needs.create-release.outputs.tag_name }}

app/tauri/package.json

@@ -22,7 +22,6 @@
     "@tauri-apps/api": "^2.0.0",
     "@tauri-apps/plugin-autostart": "^2.0.0",
     "@tauri-apps/plugin-dialog": "^2.0.0",
-    "@tauri-apps/plugin-fs": "^2.0.0",
     "@tauri-apps/plugin-updater": "^2.0.0",
     "@tauri-apps/plugin-shell": "^2.0.0",
     "@tauri-apps/plugin-store": "^2.4.1",

app/tauri/src-tauri/Cargo.lock

@@ -1,10 +1,10 @@
 [package]
 name = "huntly-app"
-version = "0.0.0"
-description = "A Tauri App"
-authors = ["you"]
-license = ""
-repository = ""
+version = "0.1.0"
+description = "Huntly desktop app"
+authors = ["lcomplete"]
+license = "Apache-2.0"
+repository = "https://github.com/lcomplete/huntly"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
@@ -21,14 +21,15 @@ embed-resource = "2.1"
 tauri = { version = "2", features = ["tray-icon"] }
 tauri-plugin-autostart = "2"
 tauri-plugin-shell = "2"
-tauri-plugin-fs = "2"
 tauri-plugin-dialog = "2"
 tauri-plugin-updater = "2.0.0"
 serde = { version = "1.0", features = ["derive"] }
 reqwest = { version = "0.11.16", features = ["json", "cookies"] }
 serde_json = "1.0"
 lazy_static = "1.4"
 zip = "7.0.0"
+sha2 = "0.10"
+getrandom = "0.2"
 
 [target.'cfg(target_os = "macos")'.dependencies]
 objc2 = "0.6.3"

app/tauri/src-tauri/Cargo.toml

@@ -8,20 +8,6 @@
     "updater:default",
     "shell:allow-open",
     "autostart:default",
-    "fs:default",
-    {
-      "identifier": "fs:allow-read",
-      "allow": [{"path": "$APPDATA/**"}, {"path": "$HOME/**"}]
-    },
-    {
-      "identifier": "fs:allow-write",
-      "allow": [{"path": "$APPDATA/**"}, {"path": "$HOME/**"}]
-    },
-    {
-      "identifier": "fs:allow-exists",
-      "allow": [{"path": "$APPDATA/**"}, {"path": "$HOME/**"}]
-    },
-    "fs:allow-mkdir",
     "dialog:default",
     "dialog:allow-open"
   ]