tynd sign
tynd sign <file> # default key: tynd-updater.key, prints to stdout
tynd sign <file> --key path/to/updater.key --out <file>.sigProduces a base64 Ed25519 signature over the raw bytes of <file>. Output is the exact shape updater.downloadAndVerify verifies.
Flags
| Flag | Default | Effect |
|---|---|---|
<file> | required | File to sign (positional) |
--key <path> | tynd-updater.key | Path to the .key file from tynd keygen |
--out <path> | — | Write signature to this file. If omitted, prints to stdout. |
Global flags: --verbose, --quiet.
Examples
Sign to stdout
tynd sign release/MyApp-1.2.3-setup.exe --key release/updater.keyOutput:
MEUCIQD...base64...==Sign to file
tynd sign release/MyApp-1.2.3-setup.exe \
--key release/updater.key \
--out release/MyApp-1.2.3-setup.exe.sigFormat
- Input — arbitrary bytes (signature is over the full file, not hash-then-sign).
- Output — raw 64-byte Ed25519 signature, base64-encoded.
- Compatible with
crypto.subtle.sign("Ed25519", …)on the signing side and the Ed25519 verifier on the verifying side.
No PEM headers, no ASN.1 wrapping.
CI pattern
- name: Sign release artifact
env:
UPDATER_KEY: ${{ secrets.UPDATER_KEY }} # base64-encoded .key
run: |
echo "$UPDATER_KEY" | base64 -d > /tmp/updater.key
bunx tynd sign release/MyApp-1.2.3-setup.exe \
--key /tmp/updater.key \
--out release/MyApp-1.2.3-setup.exe.sig
rm /tmp/updater.keyAfter signing
Update your manifest JSON with the base64 signature:
{
"version": "1.2.3",
"platforms": {
"windows-x86_64": {
"url": "https://.../MyApp-1.2.3-setup.exe",
"signature": "MEUCIQD...=="
}
}
}See the Auto-Updates guide.
Related
tynd keygen— generate the keypair.- updater API — runtime verification.
Last updated on