[bug] Verify signature error: UnexpectedKeyId

[ankitvermaAT]

Describe the bug

I am following below steps

1. run : npm run tauri signer generate

2. Got public and private keys

3. Put public key in tauri.config.json (pubkey) node

4. Put private key in system environment variable using cmd: set TAURI_PRIVATE_KEY=<private_key>

5. cmd : npm run tauri build

Got updated build (myapp_1.0.2_x64_en-US.msi.zip) and .mis.zip.sig files

6. Upload .mis.zip on server and update signature value in server json which is inside (.mis.zip.sig)

Because I have my old version build i.e. 1.0.1 run this app and got that error (Verify signature error: UnexpectedKeyId)

Now please suggest where I had done mistake in the process..

Reproduction

I had used below packages:

"dependencies": { "@tauri-apps/api": "^1.5.2", "axios": "^1.6.7", "react": "^18.2.0", "react-dom": "^18.2.0", "react-router-dom": "^6.22.1" }, "devDependencies": { "@tauri-apps/cli": "^1.5.8", "@types/react": "^18.2.15", "@types/react-dom": "^18.2.7", "@vitejs/plugin-react": "^4.2.1", "typescript": "^5.0.2", "vite": "^5.0.0" }

Expected behavior

update should be work

Full tauri info output

[-] Environment
    - OS: Windows 10.0.22621 X64
    ✔ WebView2: 126.0.2592.102   
    ✔ rustc: 1.75.0 (82e1608df 2023-12-21)
    ✔ cargo: 1.75.0 (1d8b05cdd 2023-11-20)
    ✔ rustup: 1.26.0 (5af9b9484 2023-04-05)
    ✔ Rust toolchain: stable-x86_64-pc-windows-msvc (default)
    - node: 18.19.0
    - npm: 9.7.2

[-] Packages
    - tauri [RUST]: 1.6.8
    - tauri-build [RUST]: 1.5.2
    - wry [RUST]: 0.24.10
    - tao [RUST]: 0.16.9
    - tauri-cli [RUST]: 1.6.0
    - @tauri-apps/api [NPM]: 1.5.3 (outdated, latest: 1.6.0)
    - @tauri-apps/cli [NPM]: 1.5.10 (outdated, latest: 1.6.0)

[-] App
    - build-type: bundle
    - CSP: unset
    - distDir: ../dist
    - devPath: http://localhost:1420/
    - framework: React
    - bundler: Vite

Stack trace

No response

Additional context

No response

[tance77]

Any updates on this I have this same issue.

[anderoavv]

You probably have one of these wrong: Private key, Public key, Updater signature or password (old version vs current version of application), make sure you set the env variables at one place, I've came across this error multiple times, but I can not get InvalidSignature error out of my way.

[ankitvermaAT]

Thank you all for your responses....

I found the solution—it turns out I made a mistake. I forgot to save the original public and private keys that were generated during the initial build. As a result, when I created new keys, the old application and updated code didn’t match. My advice is to always keep the first set of keys generated, as emphasized in the Tauri documentation.

[techerqz]

I also had an unexpected key issue on Windows. Here is the description and how I could solve this :

I made a first application on my desktop. Then I made a new one. My computer has multiple users, and the user I use for programming has no admin rights. So I have to add / modify the TAURI_SIGNING_PRIVATE_KEY in admin AND in lower-privileges user mode to make it work. The unexpected key was linked to the fact that I changed the TAURI_SIGNING_PRIVATE_KEY in the path (via admin) but not in the user variable (powershell). The difference between the two generated the error. So I updated the TAURI_SIGNING_PRIVATE_KEY variable via the PATH with admin and via powershell with my user; and it was solved.

I guess the easiest way would be to have a single TAURI_SIGNING_PRIVATE_KEY for every application, but I didn't try and I have no idea of whether this would work or not. And I do not find the answer in the documentation