Simplify our release page.

nedtwigg · nedtwigg · commit 82ae6ee878e4 · 2026-04-10T13:02:19.000-07:00
diff --git a/docs/specs/deploy.md b/docs/specs/deploy.md
@@ -7,9 +7,9 @@ Every release produces three artifact groups under one version and changelog:
 | Artifact | Format | Destination |
 |----------|--------|-------------|
 | VSCode extension | `.vsix` | VS Code Marketplace + OpenVSX |
-| Standalone (Windows) | NSIS `.exe` installer | GitHub Release + Tauri updater |
-| Standalone (macOS, Apple Silicon) | `.dmg` (install) + `.tar.gz` (update) | GitHub Release + Tauri updater |
-| Standalone (Linux) | AppImage | GitHub Release + Tauri updater |
+| Standalone (Windows) | `.nsis.zip` (contains NSIS installer) | GitHub Release + Tauri updater |
+| Standalone (macOS, Apple Silicon) | `.tar.gz` (contains signed `.app`) | GitHub Release + Tauri updater |
+| Standalone (Linux) | `.AppImage.tar.gz` (contains AppImage) | GitHub Release + Tauri updater |
 
 ## Release checklist
 
@@ -33,8 +33,8 @@ Human-driven steps, in order:
 8. **Deploy website** — commit the updated `website/public/standalone-latest.json` and deploy mouseterm.com so the updater endpoint is live.
 9. **Verify the release**
    - Check GitHub Release assets are correct
-   - On a Mac: download the `.dmg`, open it, confirm no Gatekeeper warnings
-   - On Windows: download the `.exe` installer, confirm no SmartScreen warnings
+   - On a Mac: extract the `.tar.gz`, open the `.app`, confirm no Gatekeeper warnings
+   - On Windows: extract the `.nsis.zip`, run the installer, confirm no SmartScreen warnings
    - Confirm Tauri auto-updater picks up the new version (test from a previous version)
    - Confirm VSCode extension is live on Marketplace and OpenVSX
 
@@ -193,7 +193,7 @@ codesign/jsign the executable
    - Build the update manifest JSON (see below) with the `.sig` contents inline
 6. **Create GitHub Release**
    - `gh release create v0.1.0 --title "v0.1.0" --notes-file CHANGELOG.md`
-   - Upload: signed installers (`.dmg`, `.exe`, `.AppImage`) + update bundles (`.tar.gz`, `.nsis.zip`)
+   - Upload: update bundles (`.tar.gz`, `.nsis.zip`, `.AppImage.tar.gz`)
 7. **Verify** — spot-check signatures, confirm release assets are correct
 
 ### Resuming after failure
@@ -211,21 +211,18 @@ All release assets use **stable filenames** (no version in the name). This allow
 
 | Asset | Filename | Purpose |
 |-------|----------|---------|
-| Windows installer | `MouseTerm-windows-x64.exe` | Direct download |
-| Windows update bundle | `MouseTerm-windows-x64.nsis.zip` | Tauri updater |
-| macOS installer | `MouseTerm-macos-aarch64.dmg` | Direct download |
-| macOS update bundle | `MouseTerm-macos-aarch64.tar.gz` | Tauri updater |
-| Linux AppImage | `MouseTerm-linux-x86_64.AppImage` | Direct download |
-| Linux update bundle | `MouseTerm-linux-x86_64.AppImage.tar.gz` | Tauri updater |
+| Windows | `MouseTerm-windows-x64.nsis.zip` | Download + Tauri updater |
+| macOS | `MouseTerm-macos-aarch64.tar.gz` | Download + Tauri updater |
+| Linux | `MouseTerm-linux-x86_64.AppImage.tar.gz` | Download + Tauri updater |
 
 ### Download hotlinks
 
 The mouseterm.com download page can link directly to the latest release with no server-side logic:
 
 ```
-https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-windows-x64.exe
-https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-macos-aarch64.dmg
-https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-linux-x86_64.AppImage
+https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-windows-x64.nsis.zip
+https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-macos-aarch64.tar.gz
+https://github.com/diffplug/mouseterm/releases/latest/download/MouseTerm-linux-x86_64.AppImage.tar.gz
 ```
 
 These can later be migrated to `mouseterm.com/download/...` URLs backed by Cloudflare R2 (for analytics) without changing anything in the app — only the website links and the updater endpoint URL in `tauri.conf.json` would change.
diff --git a/scripts/sign-and-deploy.sh b/scripts/sign-and-deploy.sh
@@ -45,13 +45,10 @@ TSA_URL="http://ts.ssl.com"
 # GitHub repo
 GITHUB_REPO="diffplug/mouseterm"
 
-# Stable filenames for release assets
-FNAME_WIN_EXE="MouseTerm-windows-x64.exe"
-FNAME_WIN_UPDATE="MouseTerm-windows-x64.nsis.zip"
-FNAME_MAC_DMG="MouseTerm-macos-aarch64.dmg"
-FNAME_MAC_UPDATE="MouseTerm-macos-aarch64.tar.gz"
-FNAME_LINUX_APPIMAGE="MouseTerm-linux-x86_64.AppImage"
-FNAME_LINUX_UPDATE="MouseTerm-linux-x86_64.AppImage.tar.gz"
+# Stable filenames for release assets (update bundles only)
+FNAME_WIN="MouseTerm-windows-x64.nsis.zip"
+FNAME_MAC="MouseTerm-macos-aarch64.tar.gz"
+FNAME_LINUX="MouseTerm-linux-x86_64.AppImage.tar.gz"
 
 # =============================================================================
 # Helper Functions
@@ -447,18 +444,8 @@ notarize_macos() {
         local app_name
         app_name=$(basename "$app")
 
-        log "Creating $FNAME_MAC_DMG..."
-        local dmg_stage="$SIGN_DIR/dmg-stage"
-        rm -rf "$dmg_stage"
-        mkdir -p "$dmg_stage"
-        cp -R "$app" "$dmg_stage/"
-        ln -s /Applications "$dmg_stage/Applications"
-        hdiutil create -volname "MouseTerm" -srcfolder "$dmg_stage" \
-            -ov -format UDZO "$SIGN_DIR/$FNAME_MAC_DMG"
-        rm -rf "$dmg_stage"
-
-        log "Creating $FNAME_MAC_UPDATE..."
-        tar -czf "$SIGN_DIR/$FNAME_MAC_UPDATE" -C "$(dirname "$app")" "$app_name"
+        log "Creating $FNAME_MAC..."
+        tar -czf "$SIGN_DIR/$FNAME_MAC" -C "$(dirname "$app")" "$app_name"
     fi
 
     log "All macOS notarization and packaging complete"
@@ -503,8 +490,6 @@ sign_windows() {
             --tsmode RFC3161 \
             "$installer_path"
 
-        # Copy with stable filename
-        cp "$installer_path" "$SIGN_DIR/$FNAME_WIN_EXE"
     fi
 
     log "Windows signing complete"
@@ -524,55 +509,42 @@ sign_updates() {
     local release_dir="$WORK_DIR/release-assets"
     mkdir -p "$release_dir"
 
-    # Collect and rename update bundles with stable filenames
-    # macOS .tar.gz (already created by notarize step)
-    [[ -f "$SIGN_DIR/$FNAME_MAC_UPDATE" ]] && cp "$SIGN_DIR/$FNAME_MAC_UPDATE" "$release_dir/"
-    [[ -f "$SIGN_DIR/$FNAME_MAC_DMG" ]] && cp "$SIGN_DIR/$FNAME_MAC_DMG" "$release_dir/"
+    # Collect update bundles with stable filenames
+    # macOS .tar.gz (created by notarize step from signed+notarized .app)
+    [[ -f "$SIGN_DIR/$FNAME_MAC" ]] && cp "$SIGN_DIR/$FNAME_MAC" "$release_dir/"
 
-    # Windows NSIS zip — rebuild with signed exe so Tauri auto-update gets the signed binary
+    # Windows NSIS zip — rebuild with signed installer
     local win_nsis
     win_nsis=$(find "$SIGN_DIR/standalone-win-x64" -path "*/updater-bundles/*.nsis.zip" -o -name "*.nsis.zip" | head -1)
     if [[ -n "$win_nsis" ]]; then
-        local signed_exe
-        signed_exe=$(find "$SIGN_DIR/standalone-win-x64" -name "MouseTerm.exe" -not -name "*setup*" -not -name "*install*" | head -1)
-        if [[ -n "$signed_exe" ]]; then
-            log "Rebuilding NSIS zip with signed executable..."
-            local nsis_tmp="$SIGN_DIR/nsis-repack"
-            mkdir -p "$nsis_tmp"
-            unzip -o "$win_nsis" -d "$nsis_tmp"
-            # Replace the unsigned exe inside the extracted zip with the signed one
-            local inner_exe
-            inner_exe=$(find "$nsis_tmp" -name "MouseTerm.exe" -not -name "*setup*" -not -name "*install*" | head -1)
-            if [[ -n "$inner_exe" ]]; then
-                cp "$signed_exe" "$inner_exe"
-                # Rebuild the zip
-                (cd "$nsis_tmp" && zip -r "$release_dir/$FNAME_WIN_UPDATE" .)
-            else
-                warn "Could not find exe inside NSIS zip; copying original"
-                cp "$win_nsis" "$release_dir/$FNAME_WIN_UPDATE"
+        log "Rebuilding NSIS zip with signed installer..."
+        local signed_installer="$SIGN_DIR/standalone-win-x64/bundle/nsis/"
+        local nsis_tmp="$SIGN_DIR/nsis-repack"
+        mkdir -p "$nsis_tmp"
+        unzip -o "$win_nsis" -d "$nsis_tmp"
+        # Find the signed installer and replace the one in the zip
+        local signed_setup
+        signed_setup=$(find "$SIGN_DIR/standalone-win-x64" -name "*setup*.exe" | head -1)
+        if [[ -n "$signed_setup" ]]; then
+            local inner_setup
+            inner_setup=$(find "$nsis_tmp" -name "*setup*.exe" | head -1)
+            if [[ -n "$inner_setup" ]]; then
+                cp "$signed_setup" "$inner_setup"
             fi
-            rm -rf "$nsis_tmp"
-        else
-            cp "$win_nsis" "$release_dir/$FNAME_WIN_UPDATE"
         fi
+        (cd "$nsis_tmp" && zip -r "$release_dir/$FNAME_WIN" .)
+        rm -rf "$nsis_tmp"
     fi
 
-    # Windows installer
-    [[ -f "$SIGN_DIR/$FNAME_WIN_EXE" ]] && cp "$SIGN_DIR/$FNAME_WIN_EXE" "$release_dir/"
-
-    # Linux AppImage
-    local linux_appimage
-    linux_appimage=$(find "$SIGN_DIR/standalone-linux-x64" -name "*.AppImage" -not -name "*.tar.gz" | head -1)
-    [[ -n "$linux_appimage" ]] && cp "$linux_appimage" "$release_dir/$FNAME_LINUX_APPIMAGE"
-
+    # Linux AppImage.tar.gz
     local linux_update
     linux_update=$(find "$SIGN_DIR/standalone-linux-x64" -path "*/updater-bundles/*.AppImage.tar.gz" -o -name "*.AppImage.tar.gz" | head -1)
-    [[ -n "$linux_update" ]] && cp "$linux_update" "$release_dir/$FNAME_LINUX_UPDATE"
+    [[ -n "$linux_update" ]] && cp "$linux_update" "$release_dir/$FNAME_LINUX"
 
     # Generate .sig files for update bundles using Tauri CLI
-    for bundle in "$release_dir/$FNAME_MAC_UPDATE" \
-                  "$release_dir/$FNAME_WIN_UPDATE" \
-                  "$release_dir/$FNAME_LINUX_UPDATE"; do
+    for bundle in "$release_dir/$FNAME_MAC" \
+                  "$release_dir/$FNAME_WIN" \
+                  "$release_dir/$FNAME_LINUX"; do
         if [[ -f "$bundle" ]]; then
             log "Tauri-signing: $(basename "$bundle")"
             # Use tauri signer to sign the bundle
@@ -591,9 +563,9 @@ sign_updates() {
 
     # Read .sig file contents
     local sig_mac="" sig_win="" sig_linux=""
-    [[ -f "$release_dir/$FNAME_MAC_UPDATE.sig" ]] && { sig_mac=$(cat "$release_dir/$FNAME_MAC_UPDATE.sig"); rm "$release_dir/$FNAME_MAC_UPDATE.sig"; }
-    [[ -f "$release_dir/$FNAME_WIN_UPDATE.sig" ]] && { sig_win=$(cat "$release_dir/$FNAME_WIN_UPDATE.sig"); rm "$release_dir/$FNAME_WIN_UPDATE.sig"; }
-    [[ -f "$release_dir/$FNAME_LINUX_UPDATE.sig" ]] && { sig_linux=$(cat "$release_dir/$FNAME_LINUX_UPDATE.sig"); rm "$release_dir/$FNAME_LINUX_UPDATE.sig"; }
+    [[ -f "$release_dir/$FNAME_MAC.sig" ]] && { sig_mac=$(cat "$release_dir/$FNAME_MAC.sig"); rm "$release_dir/$FNAME_MAC.sig"; }
+    [[ -f "$release_dir/$FNAME_WIN.sig" ]] && { sig_win=$(cat "$release_dir/$FNAME_WIN.sig"); rm "$release_dir/$FNAME_WIN.sig"; }
+    [[ -f "$release_dir/$FNAME_LINUX.sig" ]] && { sig_linux=$(cat "$release_dir/$FNAME_LINUX.sig"); rm "$release_dir/$FNAME_LINUX.sig"; }
 
     local website_manifest="$REPO_ROOT/website/public/standalone-latest.json"
     cat > "$website_manifest" <<EOF
@@ -603,15 +575,15 @@ sign_updates() {
   "pub_date": "$pub_date",
   "platforms": {
     "darwin-aarch64": {
-      "url": "$base_url/$FNAME_MAC_UPDATE",
+      "url": "$base_url/$FNAME_MAC",
       "signature": "$sig_mac"
     },
     "windows-x86_64": {
-      "url": "$base_url/$FNAME_WIN_UPDATE",
+      "url": "$base_url/$FNAME_WIN",
       "signature": "$sig_win"
     },
     "linux-x86_64": {
-      "url": "$base_url/$FNAME_LINUX_UPDATE",
+      "url": "$base_url/$FNAME_LINUX",
       "signature": "$sig_linux"
     }
   }
