Search code examples
electronelectron-builderelectron-updater

electron-updater error in production New version is not signed by the application owner


After successfull checking for updates and downloading the latest, the updater shows error New version 1.0.12 is not signed by the application owner: publisherNames: Cryptostamped LLC,.

The error is present in production only (when the app is installed via .exe installer). No error in 'preview mode'.

The app is automatically signed using electron-builder, the pack script packages it and signs:

"pack": "yarn run build && yarn run rebuild && cross-env CSC_IDENTITY_AUTO_DISCOVERY=false electron-builder -c ./electron-builder.json --win"

I provided publisherName in my electron-builder.json config, and (just in case) wrote "publish" section.

"win": {
    "publisherName": "Cryptostamped LLC",
    "certificatePassword": "5947",
    "certificateFile": "./sign/certificate.pfx",
    "icon": "build/icons/icon.ico",
    "target": [
      {
        "target": "nsis",
        "arch": ["x64"]
      }
    ]
  },

  "publish": [
    {
      "provider": "generic",
      "url": "https://diana.crp.st/auto_updates/dev/",
      "publishAutoUpdate" : true
    }
  ],

Each version is signed with the same sertificate, certificate.pfx. The sertificate is self-signed via openssl, where key.pem and cert.pem is generated with this command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj "//C=RU\L=Moscow\ST=Moscow\O=Cryptostamped\OU=Cryptostamped Moscow\[email protected]\CN=Cryptostamped LLC"

and the sertificate file itself is generated with:

 openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem

But anyway, the updater shows the error. Besides, the update process works fine when in "preview" mode (npm script named preview):

"preview": "yarn build && cross-env NODE_ENV=production electron ./app/",

In the installer properties, I see correct (I think) digital signing: signing table Here are details: details of 1st sertificate

Full error log here:

    Error: New version 1.0.12 is not signed by the application owner: publisherNames: Cryptostamped LLC, raw info: {
  "SignerCertificate": {
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=Cryptostamped LLC, [email protected], OU=Cryptostamped Moscow, O=Cryptostamped, S=Moscow, L=Moscow, C=RU",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1668700809000)/",
    "NotBefore": "/Date(1637164809000)/",
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "234EE4A08FDCD1DBD8FBD434413D1B7D26FBE1B0",
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.11",
      "FriendlyName": "sha256RSA"
    },
    "Thumbprint": "1E7D49946DFF1C1B1430400178BBA5232F9B401B",
    "Version": 3,
    "Issuer": "CN=Cryptostamped LLC, [email protected], OU=Cryptostamped Moscow, O=Cryptostamped, S=Moscow, L=Moscow, C=RU",
    "Subject": "CN=Cryptostamped LLC, [email protected], OU=Cryptostamped Moscow, O=Cryptostamped, S=Moscow, L=Moscow, C=RU"
  },
  "TimeStamperCertificate": {
    "Archived": false,
    "Extensions": [
      "System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
      "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension"
    ],
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1925424000000)/",
    "NotBefore": "/Date(1609459200000)/",
    "HasPrivateKey": false,
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "0D424AE0BE3A88FF604021CE1400F0DD",
    "SubjectName": {
      "Name": "CN=DigiCert Timestamp 2021, O=\"DigiCert, Inc.\", C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.11",
      "FriendlyName": "sha256RSA"
    },
    "Thumbprint": "E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3",
    "Version": 3,
    "Handle": 2005593979568,
    "Issuer": "CN=DigiCert SHA2 Assured ID Timestamping CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
    "Subject": "CN=DigiCert Timestamp 2021, O=\"DigiCert, Inc.\", C=US"
  },
  "Status": 1,
  "StatusMessage": "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
}

Solution

  • By adding the "verifyUpdateCodeSignature": false to my electron-builder config file. it will solve the problem and everything works fine, as it skips the verification

    "win": {
       "target": "nsis",
       "publisherName": "OneScreen LearningHub",
       "verifyUpdateCodeSignature": false 
     },