Tunnelblick Saying Update Improperly Signed

Showing 1-4 of 4 messages
Tunnelblick Saying Update Improperly Signed Daniel Chan 4/9/12 8:53 AM
Hi,

I'm having issues having updates pushed to the client. So what I've
done is had a appcast.rss hosted on my site for the Sparkle framework
to work.

The version on the server side is signed with the same certificate as
the one I'm currently using, however it is at a higher version. It
prompts that there is an update perfectly fine, but approaching the
end of the download, it seems to give an error, saying that it's
improperly signed.

How can I fix this issue?

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-
namespaces/sparkle
"  xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
    <title>BurstVPN</title>
    <link>http://updates.burstvpn.com/appcast.rss</link>
    <description>Most recent changes with links to updates.</
description>
<item>
    <title>BurstVPN Client (Added Japan, Tokyo.)</title>
    <sparkle:releaseNotesLink>
        http://www.updates.burstvpn.com/v10200.html
    </sparkle:releaseNotesLink>
    <pubDate>Tue, 27 March 2012 8:00:00 +0800</pubDate>
    <enclosure url="http://updates.burstvpn.com/BurstVPN.dmg"
               sparkle:version="10200"
               sparkle:dsaSignature=""
               length=""
               type="application/octet-stream" />
</item>
</channel>
</rss>
Re: Tunnelblick Saying Update Improperly Signed jkbull...gmail.com 4/9/12 9:29 AM
Some comments, in no particular order:

Make sure you're not confusing the update signature with the digital signature on the app. See Digital Signatures for details.

Your actual .rss must contain a valid length field and signature:

The length should be the output of
stat -f %z path-to-the-.zip-file

The signature should be the output of 
sign_update.rb path-to-the-.zip-file     path-to-dsa-priv.pem

A standard copy of Tunnelblick contains the Tunnelblick Project's dsa_pub.pem, and it will only accept updates that are signed by the Tunnelblick Project private key. (That's the whole point of the digital signatures). So you have to distribute a copy of Tunnelblick that not only has a Deploy folder, but has your dsa_pub.pem. That can be updated only with an update signed by your private key.

An alternative is to skip the DSA signatures, and update from an https: site. Then the signature is unnecessary.
Re: Tunnelblick Saying Update Improperly Signed Daniel Chan 4/12/12 3:16 AM
How can I create a public and private DSA on mac?
Re: Tunnelblick Saying Update Improperly Signed jkbull...gmail.com 4/12/12 4:04 AM
The documentation for Sparkle is at https://github.com/andymatuschak/Sparkle/wiki

Section 3 describes how to create and use signing keys.

You'll have to download Sparkle 1.5b6 from http://sparkle.andymatuschak.org (use "Get Sparkle 1.5 b6" button on the right side.)


On Thursday, April 12, 2012 6:16:00 AM UTC-4, BurstVPN wrote:
How can I create a public and private DSA on mac?