After successfull checking for updates and downloading the latest, the updater shows error New version 1.0.12 is not signed by the application owner: publisherNames: Cryptostamped LLC,
.
The error is present in production only (when the app is installed via .exe
installer). No error in 'preview mode'.
The app is automatically signed using electron-builder, the pack
script packages it and signs:
"pack": "yarn run build && yarn run rebuild && cross-env CSC_IDENTITY_AUTO_DISCOVERY=false electron-builder -c ./electron-builder.json --win"
I provided publisherName in my electron-builder.json
config, and (just in case) wrote "publish" section.
"win": {
"publisherName": "Cryptostamped LLC",
"certificatePassword": "5947",
"certificateFile": "./sign/certificate.pfx",
"icon": "build/icons/icon.ico",
"target": [
{
"target": "nsis",
"arch": ["x64"]
}
]
},
"publish": [
{
"provider": "generic",
"url": "https://diana.crp.st/auto_updates/dev/",
"publishAutoUpdate" : true
}
],
Each version is signed with the same sertificate, certificate.pfx
. The sertificate is self-signed via openssl
, where key.pem
and cert.pem
is generated with this command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj "//C=RU\L=Moscow\ST=Moscow\O=Cryptostamped\OU=Cryptostamped Moscow\[email protected]\CN=Cryptostamped LLC"
and the sertificate file itself is generated with:
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem
But anyway, the updater shows the error. Besides, the update process works fine when in "preview" mode (npm script named preview
):
"preview": "yarn build && cross-env NODE_ENV=production electron ./app/",
In the installer properties, I see correct (I think) digital signing: Here are details:
Full error log here:
Error: New version 1.0.12 is not signed by the application owner: publisherNames: Cryptostamped LLC, raw info: {
"SignerCertificate": {
"FriendlyName": "",
"IssuerName": {
"Name": "CN=Cryptostamped LLC, [email protected], OU=Cryptostamped Moscow, O=Cryptostamped, S=Moscow, L=Moscow, C=RU",
"Oid": "System.Security.Cryptography.Oid"
},
"NotAfter": "/Date(1668700809000)/",
"NotBefore": "/Date(1637164809000)/",
"PrivateKey": null,
"PublicKey": {
"Key": "System.Security.Cryptography.RSACryptoServiceProvider",
"Oid": "System.Security.Cryptography.Oid",
"EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
"EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
},
"SerialNumber": "234EE4A08FDCD1DBD8FBD434413D1B7D26FBE1B0",
"SignatureAlgorithm": {
"Value": "1.2.840.113549.1.1.11",
"FriendlyName": "sha256RSA"
},
"Thumbprint": "1E7D49946DFF1C1B1430400178BBA5232F9B401B",
"Version": 3,
"Issuer": "CN=Cryptostamped LLC, [email protected], OU=Cryptostamped Moscow, O=Cryptostamped, S=Moscow, L=Moscow, C=RU",
"Subject": "CN=Cryptostamped LLC, [email protected], OU=Cryptostamped Moscow, O=Cryptostamped, S=Moscow, L=Moscow, C=RU"
},
"TimeStamperCertificate": {
"Archived": false,
"Extensions": [
"System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
"System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
"System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
"System.Security.Cryptography.X509Certificates.X509Extension",
"System.Security.Cryptography.X509Certificates.X509Extension",
"System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
"System.Security.Cryptography.X509Certificates.X509Extension",
"System.Security.Cryptography.X509Certificates.X509Extension"
],
"FriendlyName": "",
"IssuerName": {
"Name": "CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
"Oid": "System.Security.Cryptography.Oid"
},
"NotAfter": "/Date(1925424000000)/",
"NotBefore": "/Date(1609459200000)/",
"HasPrivateKey": false,
"PrivateKey": null,
"PublicKey": {
"Key": "System.Security.Cryptography.RSACryptoServiceProvider",
"Oid": "System.Security.Cryptography.Oid",
"EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
"EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
},
"SerialNumber": "0D424AE0BE3A88FF604021CE1400F0DD",
"SubjectName": {
"Name": "CN=DigiCert Timestamp 2021, O=\"DigiCert, Inc.\", C=US",
"Oid": "System.Security.Cryptography.Oid"
},
"SignatureAlgorithm": {
"Value": "1.2.840.113549.1.1.11",
"FriendlyName": "sha256RSA"
},
"Thumbprint": "E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3",
"Version": 3,
"Handle": 2005593979568,
"Issuer": "CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
"Subject": "CN=DigiCert Timestamp 2021, O=\"DigiCert, Inc.\", C=US"
},
"Status": 1,
"StatusMessage": "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
}
By adding the "verifyUpdateCodeSignature": false to my electron-builder config file. it will solve the problem and everything works fine, as it skips the verification
"win": {
"target": "nsis",
"publisherName": "OneScreen LearningHub",
"verifyUpdateCodeSignature": false
},