diff --git a/.changes/downgrade-minisign.md b/.changes/downgrade-minisign.md new file mode 100644 index 000000000000..918440a6bcec --- /dev/null +++ b/.changes/downgrade-minisign.md @@ -0,0 +1,6 @@ +--- +"tauri-cli": patch:bug +"@tauri-apps/cli": patch:bug +--- + +Downgrade minisign dependency fixing updater signing key bug and prevent it from happening in the future. diff --git a/tooling/cli/Cargo.lock b/tooling/cli/Cargo.lock index 4c8f445ce04d..23a4c88cf25e 100644 --- a/tooling/cli/Cargo.lock +++ b/tooling/cli/Cargo.lock @@ -2618,9 +2618,9 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" [[package]] name = "minisign" -version = "0.7.5" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2b6f58413c6cee060115673578e47271838f3c87cb9322c61a3bcd6d740b7d2" +checksum = "b23ef13ff1d745b1e52397daaa247e333c607f3cff96d4df2b798dc252db974b" dependencies = [ "getrandom 0.2.11", "rpassword", diff --git a/tooling/cli/Cargo.toml b/tooling/cli/Cargo.toml index 9cc8942c6ab0..812c53de770b 100644 --- a/tooling/cli/Cargo.toml +++ b/tooling/cli/Cargo.toml @@ -65,7 +65,7 @@ toml = "0.8" jsonschema = "0.17" handlebars = "5.0" include_dir = "0.7" -minisign = "=0.7.5" +minisign = "=0.7.3" base64 = "0.21.5" ureq = { version = "2.8", default-features = false, features = [ "gzip" ] } os_info = "3" diff --git a/tooling/cli/src/helpers/updater_signature.rs b/tooling/cli/src/helpers/updater_signature.rs index 812f98305400..62c2fffc812d 100644 --- a/tooling/cli/src/helpers/updater_signature.rs +++ b/tooling/cli/src/helpers/updater_signature.rs @@ -160,3 +160,19 @@ where .map_err(|e| minisign::PError::new(minisign::ErrorKind::Io, e))?; Ok(BufReader::new(file)) } + +#[cfg(test)] +mod tests { + const PRIVATE_KEY: &str = "dW50cnVzdGVkIGNvbW1lbnQ6IHJzaWduIGVuY3J5cHRlZCBzZWNyZXQga2V5ClJXUlRZMEl5dkpDN09RZm5GeVAzc2RuYlNzWVVJelJRQnNIV2JUcGVXZUplWXZXYXpqUUFBQkFBQUFBQUFBQUFBQUlBQUFBQTZrN2RnWGh5dURxSzZiL1ZQSDdNcktiaHRxczQwMXdQelRHbjRNcGVlY1BLMTBxR2dpa3I3dDE1UTVDRDE4MXR4WlQwa1BQaXdxKy9UU2J2QmVSNXhOQWFDeG1GSVllbUNpTGJQRkhhTnROR3I5RmdUZi90OGtvaGhJS1ZTcjdZU0NyYzhQWlQ5cGM9Cg=="; + + // we use minisign=0.7.3 to prevent a breaking change + #[test] + fn empty_password_is_valid() { + let path = std::env::temp_dir().join("minisign-password-text.txt"); + std::fs::write(&path, b"TAURI").expect("failed to write test file"); + + let secret_key = + super::secret_key(PRIVATE_KEY, Some("".into())).expect("failed to resolve secret key"); + super::sign_file(&secret_key, &path).expect("failed to sign file"); + } +}