Sparkle

Fail to sign on Snow Leopard

Asked by James Chen

I failed to sign an update on Snow Leopard. After I update the appcast and test updating, the Improperly signed update dialog pops up when the downloading finishes.

The Snow Leopard is 10A432 updated from previous developer seed version.

Tried signing the app on a Leopard macbook and it worked without any problem.

I doubt the problem was on Sparkle's side. I guess Snow Leopard's openssl has some issues.

Question information

Language:
English Edit question
Status:
Answered
For:
Sparkle Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Andy Matuschak (andymatuschak) said : 		#1

I've been signing updates on Snow Leopard for the last year with no problem. What exactly did you do to sign it? Is there any more information in the Console? Can we have a link to your appcast?

Revision history for this message
James Chen (ashchan) said : 		#2

Andy,
I use ChocTop (http://drnic.github.com/choctop/) to build the dmg and sign, as well as create the appcast feed.

I've also tried the sparkle's ruby sign tool, then called system's openssl command. All failed.

To make it more clearer, the signing process went through without any problem, but updating and downloading the app ended up withe the improperly signed update error.

Unfortunately I've replaced the appcast feed with the proper one created in Leopard. Here's the content of the error one:

<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" version="2.0">
  <channel>
    <title>gmail-notifr</title>
    <description>gmail-notifr updates</description>
    <link>http://ashchan.com/gmailnotifr</link>
    <language>en</language>
    <pubDate>Mon, 31 Aug 2009 10:10:27 +0800</pubDate>
    <atom:link type="application/rss+xml" href="http://ashchan.com/gmailnotifr/update.xml" rel="self"/>
    <item>
      <title>Gmail Notifr 0.4.4</title>
      <sparkle:releaseNotesLink>http://ashchan.com/gmailnotifr/release_notes.html</sparkle:releaseNotesLink>
      <pubDate>Mon, 31 Aug 2009 10:10:27 +0800</pubDate>
      <guid isPermaLink="false">Gmail Notifr-0.4.4</guid>
      <enclosure type="application/dmg" length="1404598" sparkle:version="0.4.4" url="http://ashchan.com/gmailnotifr/Gmail Notifr-0.4.4.dmg" sparkle:dsaSignature="MC4CFQDGPvxmDSjkeRRl6FDK3dIVxWvjngIVAJB5luQT07xULCkRvW86iN/l5pNS"/>
    </item>
  </channel>
</rss>

There's no console error related to this. Is it possible some system utilities such as openssl were broken when upgrading from previous developer version of snow leopard?

Thanks!

Revision history for this message
Andy Matuschak (andymatuschak) said : 		#3

Is dsa_pub.pem in your built product's Resources folder and the appropriate path specified in the SUDSAPublicKey key of Info.plist?

Revision history for this message
James Chen (ashchan) said : 		#4

I could sign it on Leopard without any problem. I'm sure I have all necessary files (including the public and private key) in place. Anyway I'm going to test it on my friend's mac once he upgrades to SL. Perhaps I have messed up some libraries on my own mac. Thanks.

Revision history for this message
Frank Reiff (reiff) said : 		#5

I have the exact same problem as James Chen.

My build process worked without a problem in Leopard and now that I've upgraded to Snow Leopard, I get the "improperly signed" message with nothing noteworthy on the console..

In other words, James is not mad, respectively I'm mad too..

This is part of the rake file that builds everything:

  cd "#{dropbox_path}/git/auto_builds/"
  puts "---running signature script"
  signature = `ruby sign_update.rb "#{staging_path}/bmfm2/signedBMFM2.zip" dsa_priv.pem`.chomp
  puts "finished running signature script"
  puts "---SIGNATURE: #{signature}"

this is the faulty appcast:

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle">
    <channel>
        <title>BMFM 2 App Changelog</title>
        <link>http://www.publicspace.net/app/bmfm2.xml</link>
        <description>Most recent changes with links to updates.</description>
        <language>en</language>

  <item>
            <title>Version 2.01</title>
            <description>http://www.publicspace.net/app/bmfm2.html</description>
            <pubDate>Wed, 9 September 2009 9:00:00 +0000</pubDate>
            <enclosure sparkle:version="2.01" url="http://www.publicspace.net/download/signedBMFM2.zip" sparkle:dsaSignature="MCwCFFomVfUPrDkKTX2SdpjMpLGUG/MtAhRm846rvF3oMknHOGrvdbHQNcMNfg==" len
gth="3200000" type="application/octet-stream"/>
        </item>
 </channel>
</rss>

The release was set for tomorrow.. I do wish you'd reconsider the whole signing thing because it really kills the entire framework.

Revision history for this message
Frank Reiff (reiff) said : 		#6

Ok, I've actually managed to sort out the problem at my end. So it's a false alarm at least for me.

Turns out that the problem is with my test environment. I'm paranoid about problems with the updater so I change the urls of the application manually to point to my staging server and try the update from there.. only I forgot to also change the download url that the appcast there points to, so it downloaded the old version from the main server which of course does not check out with the new signature.. argh..

I'm checking to see what's involved in installing an ssl certificate on my server.. there's just a lot of manual stuff to do for every sparkle release now and it's killing my productivity.

Revision history for this message
Micheal Bclark (michealbclark) said : 		#7

Did you try out : https://www.powertoolsreport.com/best-snow-blower-for-large-driveway/

Can you help with this problem?

Provide an answer of your own, or ask James Chen for more information if necessary.

To post a message you must log in.