-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update fails when app certificates change #1283
Comments
As far as I can tell Developer ID certificates never expire for app users. The expiration affects developer's ability to sign apps, but not user's ability to verify signatures. Renewals of Developer ID certificates are allowed. If you get a new certificate for the same identity (same Apple account), then all is fine. Changes of Developer ID identity (new person/company) are not allowed and will be rejected, unless your app archive is also signed with a DSA key, and the DSA key is the same in both old and new version of an app. On other words, Sparkle supports two types of signatures: DSA and CodeSigning. At least one of them must be valid. |
Thanks for the answer @kornelski ! I lost the creds for the former Apple Dev account, so i must sign with new certs in some point in time because i cant renew them. The idea is to also use DSA, got it! Thanks for the help ! |
@kornelski i have also a couple of questions: 1 - I'm distributing the app as a dmg. I've signed the app and the dmg with my apple dev cert. Do i have to sign both the dmg and the app with the DSA ? Can i use sign_update to do so ? 2 - I'm trying to create a patch (delta update) to apply a new version. Do i have to sign the new app with the DSA, create the delta file, sign the delta file and generate the appcast ? I can't seem to sign the app because it is a directory, do i have to zip it ? 3 - How can i use the generate_appcast ? It's unclear. |
|
@kornelski i'm now building the app with all the info i got from the docs, setting up the SUFeedURL and SUPublicDSAKeyFile in the app's plist. Then i'll zip it (instead of using the dmg for now) and will sign with the dsa private key using sign_update. Will also build a new app with a different build number and follow the same procedure. Then, will put both zip files in a folder and run the generate_appcast. I expect that this generates the appcast for the later version with the delta updates. Am i thinking this through correctly :p ? (Still waiting on the app to build, will get back tomorrow with real results) ! The certificates situation is understood and it won't be an issue, thanks :) |
Sounds OK, but I'm unsure about:
|
No, the current live app has no dsa. We will release a major version, so thats not worrying. The first production version to be released (for the new major version) will have dsa, i dont know if we are going to use new certs from a new dev account or the old ones, but they will certainly have dsa :) |
Another question !! Can i make a delta from dmg's or i have to use the app ? |
Juse keep in mind that all existing copies of the app without the DSA key already in them will reject every attempt of changing Apple ID identity. |
Thanks @kornelski , there is no app copy in public domain that we want to update, we haven't released it yet and the first one to be released will have DSA. I will post my results regarding the deltas. I'm now creating 2 apps (one version 1.0.0.150 and the other 1.0.0.200) with their dmg's (which is what my build system spits out) and will use DSA signing on them. After that, i want to generate the appcast. Can i generate the deltas by placing the dmg's in the same "update" folder instead of the zipped application ??? Thank you very much ! |
The |
Thanks for all the help @kornelski. I created 2 apps with different versions, but adding the DSA made the update fail. I'm getting the following error: "Sparkle: DSA signature validation failed. The update has a public DSA key and is signed with a DSA key, but the public key desn't match the signature. The update will be rejected." I generated the keys in a MacOS High Sierra, and it seems to me that the keys are not correct/valid. Is this #1180 ? Thanks ! |
It might be. Sorry, I'm unable to verify this right now. |
It was indeed the DSA certificates. I generated the DSA certificate using a Sierra machine and it worked just fine. Already configured the app to support delta updated, although i havent tested. Thank you very much for your help ! |
@kornelski, thanks a lot for the commit: 5139179. |
Hey guys,
Is the expected behaviour for the update to fail/say that the update is at the risk of the user whenever i sign version 1.0 with certificate X (which will eventually expire) and then i release 2.0, signed with a new certificate ??
This is more a question than an issue, feel free to move this to the appropriate place !
Thanks
The text was updated successfully, but these errors were encountered: