Pushing a v* tag triggers two GitHub Actions workflows in parallel:
release.yml (existing) — builds the CLI binaries for 6 platforms
and attaches them to the GitHub Release.desktop-release.yml (new) — builds the desktop binaries for the
same 6 platforms, signs each artefact, generates the manifest, and
attaches everything to the same GitHub Release.The two workflows do not collide because every desktop artefact is
prefixed iterion-desktop-*.
iterion-desktop-darwin-universal.zip # Iterion.app/, universal amd64+arm64, ditto-compressed
iterion-desktop-darwin-universal.zip.sig
iterion-desktop-windows-amd64.exe # portable
iterion-desktop-windows-amd64.exe.sig
iterion-desktop-windows-amd64-installer.exe
iterion-desktop-windows-amd64-installer.exe.sig
iterion-desktop-windows-arm64.exe
iterion-desktop-windows-arm64.exe.sig
iterion-desktop-windows-arm64-installer.exe
iterion-desktop-windows-arm64-installer.exe.sig
iterion-desktop-linux-amd64.AppImage
iterion-desktop-linux-amd64.AppImage.sig
iterion-desktop-linux-amd64.tar.gz # raw binary + desktop file/icon
iterion-desktop-linux-amd64.tar.gz.sig
iterion-desktop-linux-amd64.deb # Debian/Ubuntu package with desktop + CLI
iterion-desktop-linux-amd64.deb.sig
iterion-desktop-linux-arm64.AppImage
iterion-desktop-linux-arm64.AppImage.sig
iterion-desktop-linux-arm64.tar.gz # raw binary + desktop file/icon
iterion-desktop-linux-arm64.tar.gz.sig
iterion-desktop-linux-arm64.deb # Debian/Ubuntu package with desktop + CLI
iterion-desktop-linux-arm64.deb.sig
iterion-desktop-manifest.json
iterion-desktop-manifest.json.sig
releases/latest/download/iterion-desktop-manifest.json
on startup (and every 4h thereafter, while the user has auto-check on).iterion-desktop-manifest.json.sig and verifies it against
the embedded updaterPublicKeyHex.GOOS/GOARCH, downloads it.sha256 and ed25519 against the manifest.updater_apply_*.go).update:applied event so the SPA can prompt for restart.The user can also trigger updates manually via Settings → Updates → “Check now”.
./scripts/desktop/ed25519-keygen.sh
Outputs hex to stdout, stores PEM in ~/.iterion-keys/updater_ed25519.pem.
~/.iterion-keys/updater_ed25519.pem into a
GitHub repository secret named UPDATER_ED25519_PRIVATE.cmd/iterion-desktop/updater.go’s updaterPublicKeyHex constant
and commit../scripts/desktop/verify-release.sh
on its .sig against the same hex. Should print Signature Verified
Successfully.If a desktop release contains a critical bug:
iterion-desktop-manifest.json from the prior
tag and re-upload it as the latest tag’s manifest. This stops auto-update
from offering the bad version.releases/latest/... URL falls through to the previous one.release.yml artefacts are not
affected.V1 ships unsigned. When code-signing is added:
xcrun notarytool. Hook
point in desktop-release.yml is gated on secrets.MACOS_DEVELOPER_ID_CERT_BASE64.signtool. Hook point gated on
secrets.WINDOWS_CERT_BASE64.Adding either does NOT replace the Ed25519 manifest signature — both exist independently. The Ed25519 layer is the trust anchor for our update channel; OS signing is only a UX improvement (Gatekeeper / SmartScreen).