Conversation
…_64-apple-darwin, aarch64-pc-windows-msvc)
…stic AppImage builds
jkaczman
force-pushed
the
fix/deploy-reproducibility
branch
from
b7c5564 to
6c6dcfa
Compare
…IGNATURE tail parity
…cOS release verify
jkaczman
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR tightens the deploy release pipeline with a focus on reproducibility & release verification.
On the macOS side, it adds helper scripts for release signing & app verification, updates pinned toolchain inputs (Tauri CLI, clang, Xcode, SDK) to reflect the current versions of our macOS build environment, and normalizes how we compare signed release artifacts against unsigned reproducible build outputs. Signed macOS apps can't be compared naively byte-for-byte.. Apple signing mutates release-only metadata in Mach-O files, so the comparison now uses normalized Mach-O content while preserving strict manifest-to-file integrity checks. Apple signature & notarization verification remain separate required checks.
On the Windows side, it adds the same signed-release split for Authenticode artifacts. The new Windows signing helper post-processes the unsigned output with Azure Artifact Signing + trusted timestamping. The new Windows verifier then checks the distributed signed installer against a local unsigned rebuild by stripping only the exact PE/AuthentiCode-managed regions (checksum, security directory, certificate table, and bounded alignment padding). Everything outside that signing envelope still has to match byte-for-byte. Authenticode verification, timestamp verification, publisher identity, and the pinned signer certificate thumbprint are separate required checks that verify those managed regions contain valid Windows signing metadata rather than arbitrary ignored bytes.
On the more general side for the release pipeline, it fixes deterministic (Linux) AppImage builds by escaping whitespace in mksquashfs sort paths, stops producing RPM artifacts (as it's unnecessary for now), and drops unsupported deploy targets from the default matrix (x86_64-apple-darwin, aarch64-pc-windows-msvc) since we currently have no way to test those (however they can be built & reproduced if we do have a way to test in the future).
Finally, this rewrites the release verification README to document the split between regular byte-for-byte reproducible artifacts, Linux deploy artifacts, and signed macOS/Windows deploy releases. It now includes the fast-path commands, the signed checksum/source-revision trust model, platform-specific verification guarantees, and the limits of what these checks actually prove.