The Update is Improperly Signed. (Installer Package PKG via Sparkle) #282

Closed
allenfisher opened this Issue Jun 24, 2013 · 7 comments

Comments

Projects
None yet
3 participants

We need to be able to update our application with a PKG (Please don't ask me why we don't just update the bundle... we install lots of content to the system that doesn't live in the bundle, and that decision is out of my control). No matter how we prepare the installer package for distribution via sparkle, we always get:

2013-06-24 18:10:28 +0000: ===== My Cool App =====
2013-06-24 18:10:40 +0000: Extracting /Users/me/Library/Application Support/My App/My App 2014.2299/MyAppInstaller.zip using 'ditto -x -k - "$DESTINATION"'
2013-06-24 18:11:02 +0000: Sparkle Error: An error occurred while extracting the archive. Please try again later.
2013-06-24 18:11:02 +0000: Sparkle Error (continued): The update is improperly signed.

I've tried signing the app (which verifies correctly), signing the pkg with the same identifier as the application (which also verifies correctly), signing the zip file with the same identity, and probably a few permutations in between that I can't remember right now.

What do I need to do to prepare the package installer for use via sparkle? I had been experimenting with the DSA/SHA1 stuff, but that's proven unreliable because if something happens where the created date of one of the keypair gets changed (thanks source control--glad I found this before release) we'd be screwed.

Edit: I did a get latest on the Master branch on Friday, June 21, 2013, if that makes a difference

If you're using an installer package, why is it trying to unzip something? Are you zipping your package? I don't think you should. Just link to the installer package directly. I think Sparkle is complaining because the result of unzipping is not the new application bundle.

Great minds think alike. I just got done trying that. Sparkle tells me that there's no unarchiver for PKG files... or do I need to change the enclosure's type in order to make sparkle just run the thing.

Found this in the instructions:

Create an Installer .pkg with the same name as your app and put that .pkg in one of the archive formats above.

So I renamed the .pkg to My App.pkg, re-signed it for good measure (and it verified properly), placed it in a zip file, and I STILL get:
2013-06-24 19:34:51 +0000: Sparkle Error: An error occurred while extracting the archive. Please try again later. 2013-06-24 19:34:51 +0000: Sparkle Error (continued): The update is improperly signed.

Contributor

andymatuschak commented Jun 25, 2013

If you're using a .pkg, you've got to use the DSA path.

Contributor

andymatuschak commented Jun 25, 2013

I've updated the wiki with a note about that. Sorry for the confusion!

HI Andy! Thanks for the response. Could you (or someone else) explain if the updates that are signed with the DSA actually embed something in the binary? If I run the sign_update more than once (I was just experimenting...), I get different results for the hash. I was just about to offer to update the wiki if I had the ability to.

Contributor

andymatuschak commented Jun 25, 2013

They don't, but DSA signatures involve a random element, so it's expected that they'd be different every time you generate a signature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment