(How to) verifying Tauri updater signature manually | Tauri Apps | Page 1

warped stream May 15, 2025, 6:45 PM

#

Hi everyone, I’m using Tauri’s built-in updater and I’d like to manually verify that my .exe and its .sig actually match the public key I published.

What I’ve done so far:

Generated my keypair

tauri signer generate -w ~/.tauri/updater.key

Published the public key in my tauri.conf.json

"updater": {
  "active": true,
  "endpoints": ["https://cdn.mycdn.app/update/..."],
  "pubkey": "<BASE64_PUBKEY_FROM_~/.tauri/updater.key.pub>"
}

Built my app

cargo tauri build
→ Produces MyApp.exe and MyApp.exe.sig

Uploaded both to my package manager, which shows in the JSON:

{
  "version": "1.2.3",
  "notes": "...",
  "pub_date": "2025-05-15T12:54:05.768Z",
  "url": "https://cdn.mycdn.app/asset/XYZ.exe",
  "signature": "<Base64 of MyApp.exe.sig>",
  "format": "nsis"
}

What I’m stuck on:

Tauri’s signer CLI doesn’t provide a “verify” command, so I tried using minisign:

minisign -Vm MyApp.exe -x MyApp.exe.sig -P <your-public-key-string>

but I always get:

Untrusted signature comment too long

That error comes from minisign’s comment-length check, and I haven’t been able to figure out a clean way to verify without hitting that limit.

My questions:

What’s the recommended way to manually verify a Tauri updater signature?
Is there a snippet (bash, Python, or otherwise) that simply checks the detached Ed25519 signature against the published public key, ignoring the comment length?
Has anyone built a small utility or workflow for this?

Any pointers, example scripts, or best practices would be hugely appreciated—thanks! 🙏 🙏

whole elbow May 16, 2025, 10:19 AM

#

you need to base64 decode the .pub and .sig files yourself first. then it should work (at least it does for me).

#

minisign can't handle encoded .sig files afaik and the mention of base64 in the documentation of the -P flag only means the second line in the decoded pub key (you'll see what i mean once you decoded it).

#

newlines are somewhat annoying for our use case (setting them in json) so we encode those 2 files to make that easier with the drawback of making verification a bit less obvious

warped stream May 16, 2025, 3:09 PM

#

Hi @whole elbow , thanks for the tip!

You’re absolutely right, I only decoded my public key and didn't base64 decode the .sig file itself. Once I Base64-decoded the signature and fed that to minisign, verification worked perfectly. This was bugging me for days, so I really appreciate your help!

On another note, I noticed that Tauri signer currently can only generate keys and sign binaries, but it doesn’t offer a “verify” command out of the box.

Would it make sense to open a feature request for adding tauri signer verify so the CLI becomes more self-contained?

I’ve already dug into the updater code a bit and would be happy to contribute—just point me at the right repo and module, and I will be happy to give it a try.

Thanks again!

whole elbow May 16, 2025, 3:11 PM

#

Would it make sense to open a feature request for adding tauri signer verify so the CLI becomes more self-contained?
imo yes.

#(How to) verifying Tauri updater signature manually

You’re absolutely right, I only decoded my public key and didn't base64 decode the .sig file itself. Once I Base64-decoded the signature and fed that to minisign, verification worked perfectly. This was bugging me for days, so I really appreciate your help!