tauri-apps
Unable to to update with updater due to `UnexpectedKeyId`
I spend a whole day, trying to figure out, what is going on. And finally - I hope - I found the issue.
I was trying to update my app on Mac, which always returned a "UnexpectedKeyId". This sounded for me like a wrong signature. I thought, I used the wrong TAURI_SIGNING_PRIVATE_KEY or TAURI_SIGNING_PRIVATE_KEY_PASSWORD. But everything seem to be correct. The tauri.conf.json is configured to my github project https://github.com/<user>/<app>/releases/latest/download/latest.json.
After checking my Windows updates, there seemed to be no issue at all. So it can't be the keys. I started my own local server, created a latest.json and used the my_app_universal.app.tar.gz.sig as my signature and it worked on mac too.
So it looks like the signature of the darwin-aarch64 inside of the latest.json is not matching with the my_app_universal.app.tar.gz.sig. They are different.
Am I configuring something wrong or is this a bug?
I am using
tauri-apps/tauri-action@v0tauri-plugin-updater = "2.0.2"tauri 2.0.6
can you share your tauri-action config? And maybe also the list of uploaded assets 🤔
Were you able to find the matching .sig file (that was used in latest.json)?
Hi Fabian, of course. Here it is:
- uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.MINUTE_MOTION_RELEASE_REPO_GITHUB_SECRET }}
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_DEVELOPMENT }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: "Apple Development: XXXX"
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
with:
tagName: app-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
releaseName: "__VERSION__"
releaseBody: "See the assets to download this version and install."
releaseDraft: true
prerelease: false
updaterJsonKeepUniversal: true
releaseCommitish: "main"
owner: "user"
repo: "repo-releases"
args: ${{ matrix.args }}
Were you able to find the matching .sig file (that was used in latest.json)?
Yes, I build my own backend, which delivers the latest.json and does the correct wiring for the signatures. In needed this anyway to be able to identify beta users.
updaterJsonKeepUniversal is a bit suspicious here, if this is set then darwin-aarch64 and darwin-x86_64 will not be updated with the universal build anymore. If latest.json still contains those 2 fields they should be from a prior run when that config was not yet set.
okay no, something is broken. If i first run the ci without the config, then re-run it with the config (targeting the same release), something breaks. If i run it with the config without an existing release to overwrite the json is correct (though still writing all 3 fields, not sure if that's how i intended it back then)