From 4f975f219e13cd4dea82404fdcc3b7aa507763be Mon Sep 17 00:00:00 2001
From: Wes <wesbillman@users.noreply.github.com>
Date: Sat, 13 Jun 2026 19:29:42 -0700
Subject: [PATCH] fix(release): use signed NSIS installer for updates

Tauri now signs the NSIS installer in place as an .exe with a detached .sig. Use that pair as the Windows updater artifact instead of looking for the deprecated .nsis.zip artifact.

Co-authored-by: Pinky <44b8e82baa6e0e254e0208d68f335c283c94e7b78dd1fa10d5a49d3f13dd0435@sprout-oss.stage.blox.sqprod.co>
Signed-off-by: Wes <wesbillman@users.noreply.github.com>
---
 .github/workflows/release.yml | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 820e40975..02f122288 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -664,23 +664,26 @@ jobs:
             exit 1
           fi
 
-          # Rename with _alpha-unsigned marker
+          # Tauri 2.x with createUpdaterArtifacts: true signs the NSIS
+          # installer in place (<name>-setup.exe + <name>-setup.exe.sig).
+          SIG="${EXE}.sig"
+          if [[ ! -f "$SIG" ]]; then
+            echo "::error::NSIS installer signature not found: $SIG"
+            exit 1
+          fi
+
+          # Rename with _alpha-unsigned marker, keeping the detached signature
+          # in lockstep so latest.json matches the uploaded updater artifact.
           EXE_DIR=$(dirname "$EXE")
           EXE_BASE=$(basename "$EXE" .exe)
           MARKED_EXE="${EXE_DIR}/${EXE_BASE}_alpha-unsigned.exe"
+          MARKED_SIG="${MARKED_EXE}.sig"
           mv "$EXE" "$MARKED_EXE"
+          mv "$SIG" "$MARKED_SIG"
           echo "exe=$MARKED_EXE" >> "$GITHUB_OUTPUT"
-
-          # Find the updater .nsis.zip and .sig
-          ARCHIVE=$(find "$BUNDLE_DIR/nsis" -name '*.nsis.zip' ! -name '*.sig' -type f | head -1)
-          SIG="${ARCHIVE}.sig"
-          if [[ -z "$ARCHIVE" || ! -f "$SIG" ]]; then
-            echo "::error::NSIS updater archive or signature not found in $BUNDLE_DIR/nsis"
-            exit 1
-          fi
-          echo "archive=$ARCHIVE" >> "$GITHUB_OUTPUT"
-          echo "archive_name=$(basename "$ARCHIVE")" >> "$GITHUB_OUTPUT"
-          echo "sig=$SIG" >> "$GITHUB_OUTPUT"
+          echo "archive=$MARKED_EXE" >> "$GITHUB_OUTPUT"
+          echo "archive_name=$(basename "$MARKED_EXE")" >> "$GITHUB_OUTPUT"
+          echo "sig=$MARKED_SIG" >> "$GITHUB_OUTPUT"
 
       - name: Read updater signature
         id: read-sig