Update System

How signed manifests and packages are generated and consumed.

Channel Endpoints

https://plugin.stoneycnc.co.uk/updates/stable/manifest.json
https://plugin.stoneycnc.co.uk/updates/beta/manifest.json
https://plugin.stoneycnc.co.uk/updates/alpha/manifest.json

Manifest Shape

{
  "Version": "1.0.9540.1120",
  "PackageUrl": "https://plugin.stoneycnc.co.uk/packages/stable/StoneyCNCPlugin-1.0.9540.1120.zip",
  "Sha256": "<zip_sha256_hex>",
  "Signature": "<manifest_signature_base64>",
  "MinPluginVersion": "1.0.9540.1120",
  "Channel": "stable"
}

Verification Flow

Plugin downloads manifest.
Manifest signature is verified using update-public.xml.
Plugin downloads package and detached signature (.sig).
Package hash and detached signature are verified.

Publish Flow

.\build\promote-stable.ps1 `
  -Version 1.0.9540.1120 `
  -WebRoot "C:\inetpub\plugin" `
  -PrivateKeyXmlPath "C:\inetpub\plugin\keys\update-private.xml"

Publish always writes package, detached signature, and channel manifest in one step.