From 897529d7a28049c9142a0f060ecd90e2e0ca8921 Mon Sep 17 00:00:00 2001 From: Tony <68118705+Legend-Master@users.noreply.github.com> Date: Thu, 8 Jan 2026 22:14:51 +0800 Subject: [PATCH 1/2] fix: map `rustls-tls` to `reqwest/rustls-no-provider` (#14726) Co-authored-by: FabianLars --- Cargo.lock | 107 +---------------------------- crates/tauri/Cargo.toml | 7 +- crates/tauri/src/protocol/tauri.rs | 12 ++-- 3 files changed, 13 insertions(+), 113 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d5b88b912..777ea58a4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -553,28 +553,6 @@ dependencies = [ "arrayvec", ] -[[package]] -name = "aws-lc-rs" -version = "1.15.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a88aab2464f1f25453baa7a07c84c5b7684e274054ba06817f382357f77a288" -dependencies = [ - "aws-lc-sys", - "zeroize", -] - -[[package]] -name = "aws-lc-sys" -version = "0.35.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b45afffdee1e7c9126814751f88dddc747f41d91da16c9551a0f1e8a11e788a1" -dependencies = [ - "cc", - "cmake", - "dunce", - "fs_extra", -] - [[package]] name = "axum" version = "0.8.4" @@ -1323,15 +1301,6 @@ dependencies = [ "digest", ] -[[package]] -name = "cmake" -version = "0.1.57" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d" -dependencies = [ - "cc", -] - [[package]] name = "color_quant" version = "1.1.0" @@ -2635,12 +2604,6 @@ dependencies = [ "thiserror 1.0.69", ] -[[package]] -name = "fs_extra" -version = "1.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" - [[package]] name = "fsevent-sys" version = "4.1.0" @@ -2898,10 +2861,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" dependencies = [ "cfg-if", - "js-sys", "libc", "wasi 0.11.0+wasi-snapshot-preview1", - "wasm-bindgen", ] [[package]] @@ -6408,59 +6369,6 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "quinn" -version = "0.11.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62e96808277ec6f97351a2380e6c25114bc9e67037775464979f3037c92d05ef" -dependencies = [ - "bytes", - "pin-project-lite", - "quinn-proto", - "quinn-udp", - "rustc-hash", - "rustls 0.23.35", - "socket2 0.5.8", - "thiserror 2.0.12", - "tokio", - "tracing", -] - -[[package]] -name = "quinn-proto" -version = "0.11.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a2fe5ef3495d7d2e377ff17b1a8ce2ee2ec2a18cde8b6ad6619d65d0701c135d" -dependencies = [ - "aws-lc-rs", - "bytes", - "getrandom 0.2.15", - "rand 0.8.5", - "ring", - "rustc-hash", - "rustls 0.23.35", - "rustls-pki-types", - "slab", - "thiserror 2.0.12", - "tinyvec", - "tracing", - "web-time", -] - -[[package]] -name = "quinn-udp" -version = "0.5.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c40286217b4ba3a71d644d752e6a0b71f13f1b6a2c5311acfcbe0c2418ed904" -dependencies = [ - "cfg_aliases", - "libc", - "once_cell", - "socket2 0.5.8", - "tracing", - "windows-sys 0.59.0", -] - [[package]] name = "quote" version = "1.0.38" @@ -6891,7 +6799,6 @@ dependencies = [ "native-tls", "percent-encoding", "pin-project-lite", - "quinn", "rustls 0.23.35", "rustls-pki-types", "rustls-platform-verifier", @@ -7219,7 +7126,6 @@ version = "0.23.35" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f" dependencies = [ - "aws-lc-rs", "log", "once_cell", "ring", @@ -7290,7 +7196,6 @@ version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "21e6f2ab2928ca4291b86736a8bd920a277a399bba1589409d72154ff87c1282" dependencies = [ - "web-time", "zeroize", ] @@ -7348,7 +7253,6 @@ version = "0.103.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52" dependencies = [ - "aws-lc-rs", "ring", "rustls-pki-types", "untrusted", @@ -8634,6 +8538,7 @@ dependencies = [ "quickcheck_macros", "raw-window-handle", "reqwest 0.13.1", + "rustls 0.23.35", "serde", "serde_json", "serde_repr", @@ -10265,16 +10170,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "web-time" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb" -dependencies = [ - "js-sys", - "wasm-bindgen", -] - [[package]] name = "webkit2gtk" version = "2.0.1" diff --git a/crates/tauri/Cargo.toml b/crates/tauri/Cargo.toml index b7cee807a..72fb921b9 100644 --- a/crates/tauri/Cargo.toml +++ b/crates/tauri/Cargo.toml @@ -144,8 +144,10 @@ bytes = { version = "1", features = ["serde"] } reqwest = { version = "0.13", default-features = false, features = [ "json", "stream", - ] } +rustls = { version = "0.23", default-features = false, features = [ + "ring", +], optional = true } # android [target.'cfg(target_os = "android")'.dependencies] @@ -198,10 +200,9 @@ linux-libxdo = ["tray-icon/libxdo", "muda/libxdo"] isolation = ["tauri-utils/isolation", "tauri-macros/isolation", "uuid"] custom-protocol = ["tauri-macros/custom-protocol"] # TODO: Remove these flags in v3 and/or enable them by default behind a mobile flag https://github.com/tauri-apps/tauri/issues/12384 -# For now those feature flags keep enabling reqwest features in case some users depend on that by accident. native-tls = ["reqwest/native-tls"] native-tls-vendored = ["reqwest/native-tls-vendored"] -rustls-tls = ["reqwest/rustls"] +rustls-tls = ["reqwest/rustls-no-provider", "dep:rustls"] devtools = ["tauri-runtime/devtools", "tauri-runtime-wry?/devtools"] process-relaunch-dangerous-allow-symlink-macos = [ "tauri-utils/process-relaunch-dangerous-allow-symlink-macos", diff --git a/crates/tauri/src/protocol/tauri.rs b/crates/tauri/src/protocol/tauri.rs index 10cab2ced..a346754f0 100644 --- a/crates/tauri/src/protocol/tauri.rs +++ b/crates/tauri/src/protocol/tauri.rs @@ -114,6 +114,11 @@ fn get_response( decoded_path.trim_start_matches('/') ); + #[cfg(feature = "rustls-tls")] + if rustls::crypto::CryptoProvider::get_default().is_none() { + let _ = rustls::crypto::ring::default_provider().install_default(); + } + let mut client = reqwest::ClientBuilder::new(); if url.starts_with("https://") { @@ -126,10 +131,9 @@ fn get_response( ))] { log::info!("adding dev server root certificate"); - client = client.add_root_certificate( - reqwest::Certificate::from_pem(cert_pem.as_bytes()) - .expect("failed to parse TAURI_DEV_ROOT_CERTIFICATE"), - ); + let certificate = reqwest::Certificate::from_pem(cert_pem.as_bytes()) + .expect("failed to parse TAURI_DEV_ROOT_CERTIFICATE"); + client = client.tls_certs_merge([certificate]); } #[cfg(not(any( From 84b04c4a8d3310b7a7091d10e36244bf94996e51 Mon Sep 17 00:00:00 2001 From: Amr Bashir Date: Sun, 11 Jan 2026 20:37:52 +0200 Subject: [PATCH 2/2] fix: fix leftover inconsistent env var in `tauri signer sign` command (#14759) --- .changes/signing-env-vars.md | 14 +++++++++ crates/tauri-cli/src/signer/generate.rs | 37 ++++++++++++----------- crates/tauri-cli/src/signer/sign.rs | 39 +++++++++++++++++++++++-- 3 files changed, 70 insertions(+), 20 deletions(-) create mode 100644 .changes/signing-env-vars.md diff --git a/.changes/signing-env-vars.md b/.changes/signing-env-vars.md new file mode 100644 index 000000000..c164c3b9a --- /dev/null +++ b/.changes/signing-env-vars.md @@ -0,0 +1,14 @@ +--- +"tauri-cli": patch:enhance +"@tauri-apps/cli": patch:enhance +--- + +Added new environment variables for `tauri signer sign` command, to align with existing environment variables used in `tauri build`, `tauri bundle` and `tauri signer generate` +- `TAURI_SIGNING_PRIVATE_KEY` +- `TAURI_SIGNING_PRIVATE_KEY_PATH` +- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD` + +The old environment variables are deprecated and will be removed in a future release. +- `TAURI_PRIVATE_KEY` +- `TAURI_PRIVATE_KEY_PATH` +- `TAURI_PRIVATE_KEY_PASSWORD` diff --git a/crates/tauri-cli/src/signer/generate.rs b/crates/tauri-cli/src/signer/generate.rs index 97f3b3708..6ca4244c7 100644 --- a/crates/tauri-cli/src/signer/generate.rs +++ b/crates/tauri-cli/src/signer/generate.rs @@ -39,26 +39,29 @@ pub fn command(mut options: Options) -> Result<()> { save_keypair(options.force, output_path, &keypair.sk, &keypair.pk) .expect("Unable to write keypair"); - println!( - "\nYour keypair was generated successfully\nPrivate: {} (Keep it secret!)\nPublic: {}\n---------------------------", - display_path(secret_path), - display_path(public_path) - ) + println!(); + println!("Your keypair was generated successfully:"); + println!("Private: {} (Keep it secret!)", display_path(secret_path)); + println!("Public: {}", display_path(public_path)); + println!("---------------------------") } else { - println!( - "\nYour secret key was generated successfully - Keep it secret!\n{}\n\n", - keypair.sk - ); - println!( - "Your public key was generated successfully:\n{}\n\nAdd the public key in your tauri.conf.json\n---------------------------\n", - keypair.pk - ); + println!(); + println!("Your keys were generated successfully!",); + println!(); + println!("Private: (Keep it secret!)"); + println!("{}", keypair.sk); + println!(); + println!("Public:"); + println!("{}", keypair.pk); } - println!("\nEnvironment variables used to sign:"); - println!("`TAURI_SIGNING_PRIVATE_KEY` Path or String of your private key"); - println!("`TAURI_SIGNING_PRIVATE_KEY_PASSWORD` Your private key password (optional)"); - println!("\nATTENTION: If you lose your private key OR password, you'll not be able to sign your update package and updates will not work.\n---------------------------\n"); + println!(); + println!("Environment variables used to sign:"); + println!("- `TAURI_SIGNING_PRIVATE_KEY`: String of your private key"); + println!("- `TAURI_SIGNING_PRIVATE_KEY_PATH`: Path to your private key file"); + println!("- `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`: Your private key password (optional if key has no password)"); + println!(); + println!("ATTENTION: If you lose your private key OR password, you'll not be able to sign your update package and updates will not work"); Ok(()) } diff --git a/crates/tauri-cli/src/signer/sign.rs b/crates/tauri-cli/src/signer/sign.rs index 44eee5d57..a50e4e083 100644 --- a/crates/tauri-cli/src/signer/sign.rs +++ b/crates/tauri-cli/src/signer/sign.rs @@ -21,7 +21,7 @@ pub struct Options { short = 'k', long, conflicts_with("private_key_path"), - env = "TAURI_PRIVATE_KEY" + env = "TAURI_SIGNING_PRIVATE_KEY" )] private_key: Option, /// Load the private key from a file @@ -29,17 +29,50 @@ pub struct Options { short = 'f', long, conflicts_with("private_key"), - env = "TAURI_PRIVATE_KEY_PATH" + env = "TAURI_SIGNING_PRIVATE_KEY_PATH" )] private_key_path: Option, /// Set private key password when signing - #[clap(short, long, env = "TAURI_PRIVATE_KEY_PASSWORD")] + #[clap(short, long, env = "TAURI_SIGNING_PRIVATE_KEY_PASSWORD")] password: Option, /// Sign the specified file file: PathBuf, } +// Backwards compatibility with old env vars +// TODO: remove in v3.0 +fn backward_env_vars(mut options: Options) -> Options { + let get_env = |old, new| { + if let Ok(old_value) = std::env::var(old) { + println!( + "\x1b[33mWarning: The environment variable '{old}' is deprecated. Please use '{new}' instead.\x1b[0m", + ); + Some(old_value) + } else { + None + } + }; + + options.private_key = options + .private_key + .or_else(|| get_env("TAURI_PRIVATE_KEY", "TAURI_SIGNING_PRIVATE_KEY")); + + options.private_key_path = options.private_key_path.or_else(|| { + get_env("TAURI_PRIVATE_KEY_PATH", "TAURI_SIGNING_PRIVATE_KEY_PATH").map(PathBuf::from) + }); + + options.password = options.password.or_else(|| { + get_env( + "TAURI_PRIVATE_KEY_PASSWORD", + "TAURI_SIGNING_PRIVATE_KEY_PASSWORD", + ) + }); + options +} + pub fn command(mut options: Options) -> Result<()> { + options = backward_env_vars(options); + options.private_key = if let Some(private_key) = options.private_key_path { Some(std::fs::read_to_string(Path::new(&private_key)).expect("Unable to extract private key")) } else {