tynd keygen
tynd keygen # default: tynd-updater.{key,pub}
tynd keygen --out release/updater # custom base pathGenerates an Ed25519 keypair for signing auto-updater artifacts. Uses WebCrypto — no OpenSSL / external signing tool needed.
Flags
| Flag | Default | Effect |
|---|---|---|
--out <base> | tynd-updater | Output path base. Produces <base>.key + <base>.pub. |
-f, --force | false | Overwrite existing files at the output paths. |
Global flags: --verbose, --quiet.
Output
<base>.key— PKCS#8 private key.Store offline. Never commit. Compromise of this key lets an attacker ship malicious updates to every user of your app.
<base>.pub— raw 32-byte public key (base64).
Workflow
Generate once
tynd keygen --out release/updaterCommit only the pub
echo "release/updater.key" >> .gitignore
git add release/updater.pubBake the pubkey into your app
src/updater-key.ts
export const UPDATER_PUB_KEY = "cFpG...RVDv/RQ=";For each release, sign the artifact
tynd sign release/MyApp-1.2.3-setup.exe \
--key release/updater.key \
--out release/MyApp-1.2.3-setup.exe.sigPublish signature + manifest
Upload the .sig alongside each artifact. Reference in the update manifest’s signature field.
Rotating the key
Ed25519 keys don’t expire, but if compromised:
- Generate a new keypair.
- Ship an update signed with the old key that bakes in the new pubkey.
- After that update rolls out, sign future updates only with the new key.
Users who haven’t applied the migration are stuck on the old trust root — there’s no remote revocation.
Related
tynd sign— sign files with the generated key.- updater API — runtime verification.
- Auto-Updates guide.
Last updated on