← docs index · ← desktop-qa-checklist.md · ← desktop-distribution.md
Walk this checklist before pushing a desktop-v* (or v* if CLI + desktop release together) tag. It’s the gate between “code is QA-clean on every platform” (covered by desktop-qa-checklist.md) and “the release is published, signed, and announced”.
A box left unticked is a release that ships broken. Resist the urge to bypass.
main.desktop-qa open against the release branch.package.json version bumped (or release-it ran successfully and bumped it).charts/iterion/Chart.yaml appVersion matches package.json (CI guard would block otherwise; verify locally with task chart:sync-version).CHANGELOG.md updated (release-it generates from conventional commits; spot-check for missing entries).These are hard prerequisites held outside the repo. Confirm each is current and accessible by the release operator before pushing the tag.
UPDATER_ED25519_PRIVATE is set, in PEM form, matches the public key embedded in cmd/iterion-desktop/updater.go (updaterPublicKeyHex constant). If the constant has changed since the last release, see “Key rotation” below.APPLE_DEVELOPER_ID_CERT (.p12) and APPLE_DEVELOPER_ID_CERT_PASSWORD GitHub secrets present; APPLE_NOTARIZE_API_KEY (.p8) + APPLE_NOTARIZE_KEY_ID + APPLE_NOTARIZE_ISSUER_ID present. Cert validity > release date + 30 days.WINDOWS_SIGNING_CERT (.pfx) and WINDOWS_SIGNING_CERT_PASSWORD (or SignPath / Azure Trusted Signing config) present. Cert validity > release date + 30 days.GPG_PRIVATE_KEY and GPG_PASSPHRASE GitHub secrets present (for signing .deb + .AppImage). Public key published to the org’s key server / KEYS file in the release.If any of these is missing or expired:
gh workflow run desktop-release.yml -f dry_run=true (if the workflow supports it) or use a desktop-vX.Y.Z-rc1 pre-release tag.generate-manifest.sh produced valid JSON (jq -e . against the artefact)..sig files are valid Ed25519 signatures of their corresponding artefacts (sample: download one binary + its .sig, run openssl pkeyutl -verify -pubin -inkey updater_ed25519.pub -rawin -in <artefact> -sigfile <artefact>.sig).git tag v<X.Y.Z> && git push origin v<X.Y.Z> (or use the release-it flow).desktop-release.yml succeed end-to-end.release.yml (CLI) succeed end-to-end (parallel job on the same tag).brew-update.yml (workflow_run on the above) succeed and patch the brew tap’s cask SHA.gh release view v<X.Y.Z> shows all expected artefacts (6 binaries × {bundle, .sig} + manifest + manifest.sig + checksum + GPG sigs for Linux)./Applications/Iterion.app opens cleanly via Gatekeeper.chmod +x and run the AppImage on Ubuntu → opens.Help → Check for updates, watch the upgrade complete.brew update && brew install iterion-desktop (or brew upgrade iterion-desktop) → installs vN.CHANGELOG.md and the manifesto’s “what’s new” framing.If a release artefact ships a critical bug after publication:
iterion-desktop-manifest.json so existing users don’t auto-update to the broken version. New users land on a stale version, which is preferred.vX.Y.Z+1 patch release with the fix and publish; auto-update will lift users off the broken version.The Ed25519 keypair signing the manifest + artefacts is the trust root for auto-update. Rotate it when:
Rotation procedure:
./scripts/desktop/ed25519-keygen.sh ./new-keys.cmd/iterion-desktop/updater.go updaterPublicKeyHex to the new public key (hex-encoded).verifyManifest to accept either signature, ship that release, wait until > 95% of installs have updated.UPDATER_ED25519_PRIVATE to the new key.Without the dual-key bridge, users on the old version can’t update past the rotation point because their embedded public key won’t verify the new manifest.
release.yml and the conventional-commits / release-it flow. The desktop release rides the same tag.