Sparkle

Having trouble creating a valid signiture for an update

Asked by Kelly Schrag

I am a newbe to the Sparkle process. I have recently been asked to release a product on the MAC. We released one version containing Sparkle on the MAC about 5 months ago. The programmer has since let the company. I think I have found the public and private keys he used and I have the appcast.xml as well. I have verified that the public key I am using is the same as the one he used and the private key has the same timestamp so I assume it is same set as he used. So... I build my files in the following way.

1. Compile the 3 realbasic programs.
2. Compress 2 of the programs and place them in an updates folder inside the bundle of the 3rd.
3. Copy the Sparkle Framework into the MacOS folder.
4. Copy the public key into the Resources folder.
5. Added the SUFeedURL and the SUPublicDSAKeyFile KEy value pairs to the Info.plist file.
6. Compress the main app into a .zip file
7. Open the terminal window.
8. Type "Ruby " drop the .zip file and the private key and hit return.
9.Update the Appcast with the version, paths and signiture and length.
10. Move the Appcast.xml and the .zip file and the .html file to the server.
11. I rename the old appcast.xml and replace it with the new one I just created.
12. Open the Old app and it recognizes it has an update.
13. I click install update. it says the update is improperly signed.
14. I click cancel update.
15. Then, I try opening the new version and it says I am running the newest version Available.
16. I click ok and it hangs. Then, I have to force quit to stop it.
11. Then, because it does not work I restore the original appcast.xml.

I have 2 additional questions:
 1. We have recently changed the version numbering on the PC to be 5.1.005.300 but the short and long versions are still 5.1.005 and in the plist the versions are 5.1.005 and they all match but the CFBundleVersion is 5.1.5.0. Why would the CFBundleVersion be different? would that cause a signing error?
 2. How can I be certain I have the correct public and private keys. I have already verified that the public keys are the same as the previous version and the time stamp on the private key matches it.

Please help me I have already spent a significant amount of time reading documentation and watching the videos. This is a slightly different scenario because it is the update that in turn will need to be updated and I have to zip 3 apps into the one.

Question information

Language:
English Edit question
Status:
Solved
For:
Sparkle Edit question
Assignee:
No assignee Edit question
Solved by:
Kelly Schrag
Solved:
Last query:
Last reply:
Revision history for this message
Andy Matuschak (andymatuschak) said : 		#1

If you're using a version of OpenSSL newer than 0.9.8l (check with "openssl version"), you'll need a newer version of the generate_keys.rb script. https://github.com/andymatuschak/Sparkle/raw/master/generate_keys.rb

> We have recently changed the version numbering on the PC to be 5.1.005.300 but the short and long versions are still 5.1.005 and in the plist the versions are 5.1.005 and they all match but the CFBundleVersion is 5.1.5.0. Why would the CFBundleVersion be different? would that cause a signing error?

CFBundleVersion is what Sparkle uses for actual comparison. CFBundleShortVersionString is used for display. Technically, according to Bundle Services, CFBundleVersion is supposed to be an integer. In practice, it can be a simple string. I wouldn't be surprised if strings like "5.1.005" confused it with the leading zeroes in the third segment.

> How can I be certain I have the correct public and private keys. I have already verified that the public keys are the same as the previous version and the time stamp on the private key matches it.

Run these two commands:

echo "WHAT" | openssl dgst -dss1 -sign dsa_priv.pem > test.sign
echo "WHAT" | openssl dgst -dss1 -verify dsa_pub.pem -signature test.sign

The latter should output "Verified OK" if dsa_priv and dsa_pub are a keypair.

If you're seeing a reproducible Sparkle hang when no new version is available, please attach a sample so I can see what it's doing.

Revision history for this message
Kelly Schrag (kelly-wdweb) said : 		#2

I have openssl version 0.9.71 28 sep 2006.
I am using sparkle version 1.5b6.
I ran the echo you suggested and the priv and pub keys verified ok…
I open the previous version of the program and it recognizes an update is available.
So, I think the version is correct but I am still getting the improperly signed message.

At this point, i am not too worried about the hang with the new version. The old version does not hang when there is no update so I will trouble shoot that later.

I must be positive I can update from the old version to the new automatically. Any suggestions will be appreciated.

Revision history for this message
Andy Matuschak (andymatuschak) said : 		#3

You copied the public key into the new version—did you copy it into the old version, too?

The signatures are often two lines. Make sure to copy both.

Revision history for this message
Kelly Schrag (kelly-wdweb) said : 		#4

Thank you for your help. I have figured out what my real problem was. The server I was trying to get to had a security check that would not let me access the url for the zip fiel referenced by the appcast. It took a long time to find because it found the appcast but could not get to the update zip file. The only message I got was that the signature was incorrect.
*
Please consider changing the message if sparkle can not access/download the update.
I now can update from the production version to the new version. I still have the hanging after the update but I suspect it is in our code not yours.
Thanks again for your time.