Shadowbroker/desktop-shell/tauri-skeleton/RELEASE.md

Desktop Release Guide

This directory now has a repeatable desktop release path with branded bundle icons, checksum output, Tauri updater artifacts, and a local updater signing key path, but not full Windows/macOS distribution signing/notarization.

Entry points

Use any of these:

# POSIX shell
./build.sh

# Windows PowerShell
./build.ps1

# Cross-platform npm wrapper
npm --prefix desktop-shell run build:desktop

Use --clean when you want to wipe the previous static export, companion bundle, managed backend bundle, generated icons, and old installer outputs before rebuilding.

Prerequisites:

• Rust toolchain
• cargo tauri available via cargo install tauri-cli@^2
• Node.js / npm with the frontend dependencies already installed

CI / GitHub Actions

The repo also has a desktop matrix workflow at:

.github/workflows/desktop-release.yml

What it does today:

• builds unsigned desktop artifacts on Windows, macOS, and Linux
• uploads bundle artifacts for PRs and branch builds
• on v*.*.* tags, attaches release assets to the GitHub release
• forwards Apple signing/notarization secrets to the macOS build if they exist, but does not require them

See RELEASE_INPUTS.md for the plain-language answer to "what would I need later?".

What the build does

1. Generates the desktop icon set in src-tauri/icons/
2. Stages a desktop-only frontend export tree that omits Next server-only routes/middleware (src/app/api, src/middleware.ts)
3. Stages a managed backend runtime bundle into src-tauri/backend-runtime/
4. Builds the frontend export with NEXT_OUTPUT=export
5. Copies frontend/out into src-tauri/companion-www/
6. Runs cargo tauri build
7. Writes:
   • src-tauri/target/release/bundle/SHA256SUMS.txt
   • src-tauri/target/release/bundle/release-manifest.json
   • src-tauri/target/release/bundle/latest.json when signed updater artifacts are present

For CI/release builds, the backend release-gate attestation is also staged into the managed backend bundle at backend-runtime/data/release_attestation.json, and the managed-backend updater refreshes that file on version sync without overwriting the rest of the runtime data/ directory.

Release artifacts

Artifacts are emitted under:

desktop-shell/tauri-skeleton/src-tauri/target/release/bundle/

Expected bundle types vary by platform:

• Windows: .msi, .exe
• macOS: .dmg, .app-related archives
• Linux: .deb, .AppImage

What is still manual

• Windows code signing
• macOS notarization/signing credentials
• Publishing latest.json plus the signed updater installer assets to the GitHub release
• Final splash/installer copy polish

Tauri updater notes

The updater public key is baked into src-tauri/tauri.conf.json. Keep the private key in release-secrets/shadowbroker-updater.key and its local password file in release-secrets/shadowbroker-updater.key.pass, or provide the same values through TAURI_SIGNING_PRIVATE_KEY and TAURI_SIGNING_PRIVATE_KEY_PASSWORD at build time. The local release-secrets/ folder is gitignored.

The production updater endpoint is:

https://github.com/BigBodyCobain/Shadowbroker/releases/latest/download/latest.json

For GitHub releases, upload latest.json, the installer (.msi / .exe), and the matching .sig files generated under src-tauri/target/release/bundle/. Tauri updater signing verifies update packages only; it does not remove Windows SmartScreen warnings. Windows public trust still requires a real code-signing certificate later.

Trust model reminder

The packaged build still uses:

• a bundled local backend runtime that the desktop app owns by default
• Rust-authoritative policy enforcement for privileged local control
• the packaged loopback app server for same-origin non-privileged /api/*
• reduced-trust browser companion mode with no native bridge injection