Sparkle

Need help with DSA Signature

Asked by straw000

:( I have been trying to get the DSA signatures to work but each time its says "The update is improperly signed." yet I kept generating the two public and private pem codes as well as using the private code to generate the DSA signature then adding the signature to the appcast and uploading it, but none of them works.

I looked around at the DSA issues here on launchpad but it did not work for me. Can anyone point out what I did wrong, or give me a working pair of pem codes with a working DSA signature? All helps would be appreciated! Thanks!!

Question information

Language:
English Edit question
Status:
Solved
For:
Sparkle Edit question
Assignee:
No assignee Edit question
Solved by:
Andy Matuschak
Solved:
Last query:
Last reply:
Revision history for this message
Andy Matuschak (andymatuschak) said : 		#1

Please paste the exact commands you're using to generate your DSA signature, and your appcast entry for that update.

Revision history for this message
straw000 (straw000) said : 		#2

I used this:

ruby "/Users/waterdrop/sign_update.rb" ~/Desktop/tunelyrics.dmg "/Users/waterdrop/dsa_priv.pem"

Here is the appcast entry:

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
   <channel>
      <title>TuneLyrics Appcast</title>
      <link>http://waterdropsoftware.googlepages.com/tunelyrics.xml</link>
      <description>TuneLyrics is a lyrics-fetching freeware and is a perfect companion with iTunes.</description>
      <language>en</language>
         <item>
            <title>New Changes And Updates In TuneLyrics 0.6</title>
 <sparkle:releaseNotesLink>http://waterdropsoftware.googlepages.com/rnotes.html</sparkle:releaseNotesLink>
            <pubDate>Sun, 23 Nov 2008 22:13:51 +0800</pubDate>
            <enclosure url="http://dl.macupdate.com/final/internet/29554/TuneLyrics_0.6.zip" length="679873" type="application/octet-stream" sparkle:dsaSignature="MCwCFHB2lJCJkqUr8tJsOAZm5wcrq/kaAhQeFbkZBeinVeb+hGQ+1SuX6Fscyw==" />
         </item>
   </channel>
</rss>

All help would be appreciated!! Thx a lot!

Revision history for this message
Best Andy Matuschak (andymatuschak) said : 		#3

Ah. The problem is that Sparkle needs you to sign the file the user downloads, not whatever's inside it. Specifically, you need to sign TuneLyrics_0.6.zip, not the .dmg.

Revision history for this message
straw000 (straw000) said : 		#4

k thx for your help again : )

Revision history for this message
straw000 (straw000) said : 		#5

Thanks Andy Matuschak, that solved my question.

Revision history for this message
Hofman (cmhofman) said : 		#6

BTW, why do you zip a disk image? A .dmg file is already compressed (using bzip).

Revision history for this message
Apurva Jatakia (apurvaapurva) said : 		#7

Hi,
If the file that user downloads is a .dmg file that is if the url field contains a path to .dmg file then do we need to sign the dmg file or it has to be a zip file which a user downloads for sparkle.

Thanks

Revision history for this message
Apurva Jatakia (apurvaapurva) said : 		#8

Hi,
If the file that user downloads is a .dmg file that is if the url field contains a path to .dmg file then do we need to sign the dmg file or it has to be a zip file which a user downloads for sparkle.

Thanks

Revision history for this message
Andy Matuschak (andymatuschak) said : 		#9

Your user can download a .dmg directly; it doesn't need to be in a .zip. You would need to sign the .dmg, yes.

Revision history for this message
Apurva Jatakia (apurvaapurva) said : 		#10

Thanks Andy,
I am new to the DSA signing. Can you point me to a good tutorial for signing the dmg file and also how do i find the length. Is it the length of the private or public key.

Thanks

Revision history for this message
Andy Matuschak (andymatuschak) said : 		#11

The length attribute of the enclosure refers to the .dmg or .zip, not the signature.

You can learn how to generate a key pair under Step 3 here: http://wiki.github.com/andymatuschak/Sparkle/

Then you can learn how to use that key to sign your update here: http://wiki.github.com/andymatuschak/Sparkle/publishing-an-update

Revision history for this message
Apurva Jatakia (apurvaapurva) said : 		#12

Thanks Andy for all the help