Skip to content

fix: handle empty string password for signing keys (fix #14829)#14957

Closed
quantumnic wants to merge 1 commit intotauri-apps:devfrom
quantumnic:fix/empty-password-signing
Closed

fix: handle empty string password for signing keys (fix #14829)#14957
quantumnic wants to merge 1 commit intotauri-apps:devfrom
quantumnic:fix/empty-password-signing

Conversation

@quantumnic
Copy link

@quantumnic quantumnic commented Feb 16, 2026

Description

Fixes #14829 — Using an empty string password (-p "") with tauri signer generate and tauri signer sign fails with incorrect updater private key password: Wrong password for that key.

Root Cause

minisign::KeyPair::generate_encrypted_keypair(Some("")) sets kdf_alg = KDF_ALG (indicating an encrypted key) but skips actual encryption when the password is empty (if !password.is_empty() check on line 102 of minisign's keypair.rs). Later, SecretKeyBox::into_secret_key(Some("")) sees kdf_alg = KDF_ALG, attempts to decrypt by XOR-ing with a scrypt-derived key, and the checksum no longer matches → "Wrong password".

Fix

  • generate_key: Treat Some("") as no password and use generate_unencrypted_keypair() instead, producing keys with kdf_alg = KDF_NONE.
  • secret_key: Treat Some("") as no password and first try into_unencrypted_secret_key(), falling back to the encrypted path for better error messages.

Testing

Added regression test generate_and_sign_with_empty_password that verifies the full generate → load → sign round-trip with an empty password.

fix: handle empty string password for signing keys (fix tauri-apps#14829
51feef5 
)

minisign's generate_encrypted_keypair skips encryption when password is
empty but still sets kdf_alg to KDF_ALG. This causes into_secret_key to
attempt decryption on an unencrypted key, resulting in 'Wrong password'.

Fix by treating empty password as no password:
- generate_key: use generate_unencrypted_keypair for empty passwords
- secret_key: try into_unencrypted_secret_key first for empty passwords

Add regression test for the full generate→sign round-trip.
@quantumnic quantumnic requested a review from a team as a code owner February 16, 2026 21:52
@github-project-automation github-project-automation bot moved this to 📬Proposal in Roadmap Feb 16, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 17, 2026

Package Changes Through 51feef5

There are 3 changes which include tauri-cli with patch, @tauri-apps/cli with patch, tauri-bundler with patch

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package current next
tauri-bundler 2.8.0 2.8.1
@tauri-apps/cli 2.10.0 2.10.1
tauri-cli 2.10.0 2.10.1

Add another change file through the GitHub UI by following this link.

Read about change files or the docs at github.com/jbolda/covector

@Legend-Master Legend-Master mentioned this pull request Mar 3, 2026
Merged
@Legend-Master Legend-Master added the ai-slop Low effort content, see https://github.com/tauri-apps/tauri?tab=contributing-ov-file#ai-tool-policy label Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai-slop Low effort content, see https://github.com/tauri-apps/tauri?tab=contributing-ov-file#ai-tool-policy

Projects

Roadmap
Status: 📬Proposal

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[bug] Can not use empty string as the password of signing private key

2 participants

@quantumnic @Legend-Master