generate_appcast doesn't work with .dmg file:
Error generating appcast from directory /Users/quanta/Downloads/updates Error Domain=SUSparkleErrorDomain Code=1001 "No usable archives found in /Users/quanta/Downloads/updates" UserInfo={NSLocalizedDescription=No usable archives found in /Users/quanta/Downloads/updates}
So, I have to create appcast.xml manually:
<?xml version="1.0" standalone="yes"?>
<rss xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" version="2.0">
<channel>
<title>x</title>
<item>
<title>1.0.0.2891</title>
<pubDate>Thu, 06 Dec 2018 17:25:26 +0800</pubDate>
<sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion>
<enclosure url="https://example.com/x.dmg" sparkle:version="1.0.0.2891" sparkle:shortVersionString="1.0.0.2891" length="86454539" type="application/octet-stream"/>
</item>
</channel>
</rss>
Got this error when testing:
DSA signature validation of the package failed. The update contains an installer package, and valid DSA signatures are mandatory for all installer packages. The update will be rejected. Sign the installer with a valid DSA key or use an .app bundle update instead.
First time running sign_update, I choose "Always allow", so it does not ask for password in the next time:
$./bin/sign_update /path/to/x.dmg
sparkle:edSignature="x==" length="105562628"
But I still got this error when running via ssh:
$ ~/Downloads/Sparkle-1.21.0/bin/sign_update /path/to/x.dmg
ERROR! Unable to access required key in the Keychain -25308 (you can look it up at osstatus.com)
I know that we can use openssl to do the same thing: https://github.com/sparkle-project/Sparkle/blob/master/bin/old_dsa_scripts/sign_update
but how can I export dsa_priv.pem from my keychain?
The reason is login.keychain is locked when running via ssh.
We have to unlock it before running sign_update. Put the following command into a script:
#!/bin/sh
security unlock-keychain -p "$pa55w0rd" $HOME/Library/Keychains/login.keychain