Sparkle

getting signature improperly signed

Asked by john seward

Updating an app with the older version of Sparkle to an app with the new version of Sparkle works fine, but when I try to update an app with the new version of Sparkle I get an error that the download is improperly signed. Here is the script I am using as part of the xcode build process to generate the .zip file and the signature and the .xml file, and below that is the generated .xml file. What am I doing wrong?

#!/bin/bash
set -o errexit

VERSION=$(defaults read "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app/Contents/Info" CFBundleShortVersionString)
BUILD=$(defaults read "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app/Contents/Info" CFBundleVersion)
DOWNLOAD_BASE_URL="http://s3.amazonaws.com/mailsteward/images/"
RELEASENOTES_URL="http://mailsteward.com/prornotes.html"

UNDERSCORE="_"
ARCHIVE_FILENAME="$PROJECT_NAME$UNDERSCORE$VERSION.zip"
DOWNLOAD_URL="$DOWNLOAD_BASE_URL$ARCHIVE_FILENAME"
KEYCHAIN_PRIVKEY_NAME="privkey"

WD=$PWD
cd "$BUILT_PRODUCTS_DIR"
rm -f "$PROJECT_NAME"*.zip
zip -qr "$ARCHIVE_FILENAME" "$PROJECT_NAME.app"

SIZE=$(stat -f %z "$ARCHIVE_FILENAME")
PUBDATE=$(date +"%a, %d %b %G %T %z")
(security find-generic-password -g -s "$KEYCHAIN_PRIVKEY_NAME" 2>&1 1>/dev/null | perl -pe '($_) = /"(.+)"/; s/\\012/\n/g') | openssl enc -base64 > junk
SIGNATURE=$(openssl dgst -sha1 -binary < "$ARCHIVE_FILENAME" | openssl dgst -dss1 -sign <junk)

[ $SIGNATURE ] || { echo Unable to load signing private key with name "'$KEYCHAIN_PRIVKEY_NAME'" from keychain; false; }

cat <<EOF
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
    <channel>
        <title>$PROJECT_NAME Changelog</title>
        <link>http://mailsteward.com/registered.html</link>
        <description>Most recent changes.</description>
        <language>en</language>
 <item>
  <title>Version $VERSION, Build $BUILD</title>
  <sparkle:releaseNotesLink>$RELEASENOTES_URL</sparkle:releaseNotesLink>
  <pubDate>$PUBDATE</pubDate>
  <enclosure
   url="$DOWNLOAD_URL"
   sparkle:version="$BUILD"
   sparkle:shortVersionString="$VERSION"
   type="application/octet-stream"
   length="$SIZE"
   sparkle:dsaSignature="$SIGNATURE"
  />
 </item>
    </channel>
</rss>
EOF

rm -f junk

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
    <channel>
        <title>MailStewardPro Changelog</title>
        <link>http://mailsteward.com/registered.html</link>
        <description>Most recent changes.</description>
        <language>en</language>
 <item>
  <title>Version 8.2, Build 1133</title>
  <sparkle:releaseNotesLink>http://mailsteward.com/prornotes.html</sparkle:releaseNotesLink>
  <pubDate>Mon, 04 May 2009 08:20:17 -0500</pubDate>
  <enclosure
   url="http://s3.amazonaws.com/mailsteward/images/MailStewardPro_8.2.zip"
   sparkle:version="1133"
   sparkle:shortVersionString="8.2"
   type="application/octet-stream"
   length="4398361"
   sparkle:dsaSignature="a252229c65c07c33b3ffffa4267170f37490e23c"
  />
 </item>
    </channel>
</rss>

Question information

Language:
English Edit question
Status:
Solved
For:
Sparkle Edit question
Assignee:
No assignee Edit question
Solved by:
Andy Matuschak
Solved:
Last query:
Last reply:
Revision history for this message
Andy Matuschak (andymatuschak) said : 		#1

Sparkle expects signatures to be base64-encoded (see sign_update.rb). I think that'll probably fix your issue.

Revision history for this message
Best Andy Matuschak (andymatuschak) said : 		#2

I misread the script and actually didn't see your base64 encoding call... now I see that you're doing it, but the outputted signature sure looks like hex to me. Compare with the output at http://github.com/liyanage/album-artwork-assistant/blob/4567912aedb75f46c14d2ec9f18fed7ad46adf6a/appcast.xml

Revision history for this message
john seward (jns) said : 		#3

Thanks Andy, that was enough to get me on the right track. It all works now. Now my script looks like this:

#!/bin/bash
set -o errexit

VERSION=$(defaults read "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app/Contents/Info" CFBundleShortVersionString)
BUILD=$(defaults read "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app/Contents/Info" CFBundleVersion)
DOWNLOAD_BASE_URL="http://mydownloadurl.com/"
RELEASENOTES_URL="http://mailsteward.com/prornotes.html"

UNDERSCORE="_"
ARCHIVE_FILENAME="$PROJECT_NAME$UNDERSCORE$VERSION.zip"
DOWNLOAD_URL="$DOWNLOAD_BASE_URL$ARCHIVE_FILENAME"

WD=$PWD
cd "$BUILT_PRODUCTS_DIR"
rm -f "$PROJECT_NAME"*.zip
zip -qr "$ARCHIVE_FILENAME" "$PROJECT_NAME.app"

SIZE=$(stat -f %z "$ARCHIVE_FILENAME")
PUBDATE=$(date +"%a, %d %b %G %T %z")

SIGNATURE=$(ruby "/myhome/projects/Sparkle/Extras/Signing Tools/sign_update.rb" "$ARCHIVE_FILENAME" /myhome/projects/dsa_priv.pem)

cat <<EOF
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" xmlns:dc="http://purl.org/dc/elements/1.1/">
    <channel>
        <title>$PROJECT_NAME Changelog</title>
        <link>http://mailsteward.com/registered.html</link>
        <description>Most recent changes.</description>
        <language>en</language>
 <item>
  <title>Version $VERSION, Build $BUILD</title>
  <sparkle:releaseNotesLink>$RELEASENOTES_URL</sparkle:releaseNotesLink>
  <pubDate>$PUBDATE</pubDate>
  <enclosure
   url="$DOWNLOAD_URL"
   sparkle:version="$BUILD"
   sparkle:shortVersionString="$VERSION"
   type="application/octet-stream"
   length="$SIZE"
   sparkle:dsaSignature="$SIGNATURE"
  />
 </item>
    </channel>
</rss>
EOF