Auto-updater signing keys
Also available: Markdown ยท Plain text
Auto-updater signing keys
Gnomad uses the Tauri updater plugin with minisign-signed release artifacts.
One-time setup
- Generate a key pair (keep the private key secret):
npm run setup:updater-keys
# or manually:
cd src-tauri && npx tauri signer generate -w ~/.tauri/gnomad-updater.key
Copy the public key contents into
src-tauri/tauri.conf.jsonโplugins.updater.pubkey(full string, not a file path).Add GitHub Actions secrets for release builds:
| Secret | Value |
|---|---|
TAURI_SIGNING_PRIVATE_KEY |
Contents of the private key file |
TAURI_SIGNING_PRIVATE_KEY_PASSWORD |
Key password (empty string if none) |
Channels
| Channel | Endpoint |
|---|---|
| Stable | โฆ/releases/latest/download/latest.json |
| Beta | โฆ/releases/download/v0.2.0-beta.1/latest.json (pre-releases) |
Users choose the channel in Settings โ Updates. The release workflow uploads latest.json when includeUpdaterJson: true.
Verify locally
Before tagging a release:
npm run verify:updater
After a tagged release, install the previous version and use Check for updates in Settings. Updates only install when the artifact signature matches the embedded public key.