how to block verifying?

Extra information about whatever error you're encountering was logged to the console; take a look at it and let me know what it says.

Version with SSH writes:
Sparkle Error (continued): bad server certificate
(I'm already trying to find if there isn't a problem on the hosting side)

Version using signature writes only:
Sparkle Error: The update is improperly signed.

Please paste the steps you use to create the signature for your update, and a copy of the appcast.

Appcast is there:
http://www.hrablo.name/rss.xml

(as you can see, this https://www.hrablo.name/rss.xml works too)

I made dsa keypair (by using generate_keys.rb). Then I copied the public one into Resources of my project, then added into Info.plist this:
    <key>SUExpectsDSASignature</key>
    <true/>
      <key>SUFeedURL</key>
 <string>http://rssctecka.hrablo.name/rss.xml</string>
 <key>SUPublicDSAKeyFile</key>
 <string>dsa_pub.pem</string>

Then i made signature:
openssl dgst -sha1 -binary < ~/RSSko082.zip | openssl dgst -dss1 -sign dsa_priv.pem | openssl enc -base64

and copied that into appcast...

I also copied dsa_pub.pem and all needed stuff into previous version of my app (which I'm using for trying that).

Are you sure that:
- The dsa_priv.pem you're using to sign the update was generated at the same time as the dsa_pub.pem you put in the app?
- The MD5 checksum of the RSSko082.zip you're signing matches the checksum of the file the server delivers (curl it and make sure)?

- no I'm not. And I'm not sure what do you mean. How do i do it?
- I tried to copy the .zip file fewtimes. But I'm not sure if the checksum was correct. Is there any trustworthy way how to find it?
thanks

> The dsa_priv.pem you're using to sign the update was generated at the same time as the dsa_pub.pem you put in the app?

This could only be an issue if you generated multiple keys for your app. The point is that when you run generate_keys, it outputs two files: dsa_priv.pem and dsa_pub.pem. Those files only work when used together; if you used dsa_priv.pem from one run of generate_keys and dsa_pub.pem from another, your signatures would not be valid.

> I tried to copy the .zip file fewtimes. But I'm not sure if the checksum was correct. Is there any trustworthy way how to find it?

First, run md5 (the command line utility) on the .zip you signed. The usage is "md5 filename".
Then download the .zip from your server by the URL in your appcast and run md5 on that file. Do the values match?

- passed, I made them in the same time

- md5 writes "fb86e03403b03df8e65f43de017b4604" for BOTH files...

May there be any other problem? I really have the latest version so it can't be that bug...

Now it works! Thanks a lot!
...but I still don't know where was the problem.. :/

Thanks Andy Matuschak, that solved my question.

Just for the record, I have spent countless hours trying to make Sparkle verification to work, and Andy Matuschak's question about the version of OpenSSL, combined with the fact that I was getting unusually long signatures finally made me see the solution.

Turns out I had at some point installed OpenSSL from MacPorts at some point in time, and their versions differ. Apple's is:
OpenSSL 0.9.8l 5 Nov 2009
and MacPorts' is:
OpenSSL 1.0.0d 8 Feb 2011

I have spent more than 8 hours trying to make this work, so for everyone having the same problem, run 'which openssl' in the command line. If it says something like /opt/local/bin/openssl then you are using MacPorts' OpenSSL, and the scripts will NOT work. The easiest way to fix that is to edit the scripts and replace openssl with /usr/bin/openssl