Help signing a .dmg with EdDSA key.

[rokas-ambrazevicius]

Hello all,

thank you for all the help in advance.

So at the moment I am trying to integrate Sparkle, seen all the documentation, seen discussions. I am trying to sign in on CI machine.

I have generated the key and exported it to a file. Every command I run, I append --ed-key-file $DIR/sparkle_private_key_file.

My goal - to have an app in .dmg. I would love the updates to work with .dmg and I read that it should be supported. Put a copy of your .app (with the same name as the version it’s replacing) in a .zip, .tar.xz, or .dmg. https://sparkle-project.org/documentation/publishing/#publishing-an-update

Also, read the proposal for future to use .dmg for increased security due to .zip flaws. Read all the discussions where help regarding unproperly signed update issue is discussed, but can't seem to get the dmg properly signed.

I am working on a macOS app, without sandboxing, with hardened runtime.
The way I see the process:

1. Build and sign the app.
2. Create .dmg with signed app.
3. Notarize the .dmg. // Everything is working here
4. Sign the .dmg with the EdDSA key
5. Deploy

First I tried signing and notarizing the app. Later on figured it's the other way round. Notarize and sign.
generate_appcast, does not seem to be generating EdDSA keys in the appcast when I run it.

The update gets downloaded, but when installing, I get these errors in the console:

Error: The update is improperly signed and could not be validated. Please try again later or contact the app developer. (null) (URL (null))
Error: Update validation was a failure (null) (URL (null))
Error: A public (Ed)DSA key was found in the old bundle but no public (Ed)DSA key was found in the new update. Sparkle only supports rotation, but not removal of (Ed)DSA keys. Please add an EdDSA key to the new app. (null) (URL (null))

I tried using sign_update and manually add the EdDSA key to appcast file, but I get same errors.
I assume something is wrong with signing, just can't figure out what. Any help is appreciated.

Also tried using .zip. Sign export app, notarize the zip, extract app from zip, staple, sign with EdDsa key - but with no luck.
Tried verifying the exported .zip, with sign_update, but nothing gets outputed when I paste the correct signature or when I change one of the letters in the signature.

If I try importing the key manually,

Sparkle/bin/generate_keys -f sparkle_private_key_file

the generate_appcast gets stuck.

[zorgiepoo]

Error: A public (Ed)DSA key was found in the old bundle but no public (Ed)DSA key was found in the new update. Sparkle only supports rotation, but not removal of (Ed)DSA keys. Please add an EdDSA key to the new app.

This error is not related to the appcast, but rather that the new update app bundle that was downloaded is missing a SUPublicEDKey in its Info.plist.

First I tried signing and notarizing the app. Later on figured it's the other way round. Notarize and sign.
generate_appcast, does not seem to be generating EdDSA keys in the appcast when I run it.

generate_appcast should generate the sparkle:edSignature in the enclosure item if the EdDSA private key it uses matches with the SUPublicEDKey in the updates at least. You may need to pass --ed-key-file in your case. Although, this may have been failing due to the error above.

I tried using sign_update and manually add the EdDSA key to appcast file, but I get same errors.

This would ought to work too (again the error is unrelated to the appcast).

Zip and dmg are not different in this regard with using Sparkle's signing keys.

...the generate_appcast gets stuck.

I cannot reproduce this tool hanging after importing keys. If you want to report it you may need to provide a sample from Activity Monitor or a spindump. If there are multiple updates, it may take some time to generate deltas.

Also, read the proposal for future to use .dmg for increased security due to .zip flaws. Read all the discussions where help regarding unproperly signed update issue is discussed, but can't seem to get the dmg properly signed.

This was more in the context of key rotation, I haven't decided what to do there yet. Today, dmg is not more secure.

[rokas-ambrazevicius]

All working now, thanks for such a brief explanation of what the errors mean.
Turns out, SUPublicEDKey, Xcode has not included this in the build. Solved now.
Thanks again..