Tauri Signing Keys - 1Password Integration
Overview
Tauri signing keys have been securely migrated to 1Password for enhanced security and team access management. The keys are stored in the TerraphimPlatform vault and can be accessed via the 1Password CLI.
Key Storage Details
- Vault: TerraphimPlatform
- Vault ID:
6fsizn2h5rrs5mp3e4phudjab4 - Item ID:
3k2d5ycxeagdazexivgomi2gpy - Item Title: TauriSigning
Stored Credentials
The following credentials are stored in the 1Password item:
- TAURI_PRIVATE_KEY: The private signing key for Tauri updates (concealed)
- TAURI_PUBLIC_KEY: The public key for verification (visible)
- TAURI_KEY_PASSWORD: Password for the private key (empty/concealed)
Usage
Prerequisites
Ensure you have the 1Password CLI installed and authenticated:
# Check installation
# Authenticate if needed
Method 1: Direct Environment Variable Export
Export the keys as environment variables for use in build scripts:
Method 2: Using op run with Environment File
The project includes a .env.tauri-release file with 1Password references:
# Run build with automatic secret injection
# Or for Rust builds
Method 3: GitHub Actions Integration
For CI/CD pipelines, configure a 1Password service account:
- Create a service account in 1Password with read access to the TerraphimPlatform vault
- Add the service account token as a GitHub secret:
OP_SERVICE_ACCOUNT_TOKEN - Use the 1Password GitHub Action in your workflow:
- name: Load secrets from 1Password
uses: 1password/load-secrets-action@v1
with:
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
TAURI_PRIVATE_KEY: op://6fsizn2h5rrs5mp3e4phudjab4/3k2d5ycxeagdazexivgomi2gpy/TAURI_PRIVATE_KEY
TAURI_KEY_PASSWORD: op://6fsizn2h5rrs5mp3e4phudjab4/3k2d5ycxeagdazexivgomi2gpy/TAURI_KEY_PASSWORDFile References
.env.tauri-release
This file contains 1Password references for the Tauri signing keys:
TAURI_PRIVATE_KEY="op://6fsizn2h5rrs5mp3e4phudjab4/3k2d5ycxeagdazexivgomi2gpy/TAURI_PRIVATE_KEY"
TAURI_KEY_PASSWORD="op://6fsizn2h5rrs5mp3e4phudjab4/3k2d5ycxeagdazexivgomi2gpy/TAURI_KEY_PASSWORD"docs/artifacts (historical)
Historically, release tracking documents lived under .reports/. Those have been migrated to docs/artifacts/ for publication and long-term reference.
The actual signing key references should live in .env.tauri-release (1Password reference URIs only) and in this document.
Security Benefits
- No Plain Text Keys: Sensitive keys are never stored in plain text in the repository
- Access Control: Team members need 1Password vault access to retrieve keys
- Audit Trail: All key access is logged in 1Password
- Rotation Support: Keys can be updated in 1Password without changing code
- Service Account Integration: CI/CD can access keys securely without exposing them
Troubleshooting
Multiple Vaults with Same Name
If you encounter an error about multiple vaults matching "TerraphimPlatform", use the vault ID directly:
- Vault ID:
6fsizn2h5rrs5mp3e4phudjab4
Permission Errors
Ensure your 1Password account has access to the TerraphimPlatform vault. Contact your 1Password administrator if you need access.
CLI Authentication Issues
If op commands fail, re-authenticate:
Migration Notes
- Migration Date: November 7, 2025
- Previous Storage: Keys were previously documented under
.reports/ - Vault Created: A new TerraphimPlatform vault was created (ID: deahm4nag52derwyq2frgy3pda)
- Item Updated: Existing item
3k2d5ycxeagdazexivgomi2gpywas updated with Tauri keys