You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It seems that 2.27.0 has an invalid sha512 checksum for Caprine-2.27.0-mac.zip (but the one for Caprine-2.27.0.dmg is ok)
In latest-mac.yml the sha is: EGplD4inq6mJuJdDYEgSr9W69L2Pio8pGIVEg6ms2dQrw3AH9gMJ/xEGwQnJ0uSqrcautmHZvM/1BBTy+Yad7A==
while the actual checksum is: q24VNJ8XlfAY7yU7YXT/aZ7SX9OTRcq4y4MUE9bQFNWvZs14tIAwK0B6egvKdOgkXL+diHt7D/miAPUzJpOXUg==
The reason will be displayed to describe this comment to others. Learn more.
@sindresorhus I'm still investigating this issue. When I get enough info I'll either submit a PR or open a new issue in electron-builder. 🙂
Btw. the checksum on the latest Caprine build (2.27.1) is correct. When I did npm run dist (with both 2.27.0 and 2.27.1) the checksums were correct too. 🤔
Anyway, here's another issue. This time on Windows (2.26.0 to 2.27.1):
Sign verification failed, installer signed with incorrect certificate: publisherNames: Developer ID Application: Sindre Sorhus (YG56YK5RN5)
[error] Error: Error: New version 2.27.1 is not signed by the application owner: publisherNames: Developer ID Application: Sindre Sorhus (YG56YK5RN5)
The reason will be displayed to describe this comment to others. Learn more.
Turns out they are signed. 😅
Both Mac and Windows builds are signed using your Apple dev cert (“Developer ID Application: Sindre Sorhus (YG56YK5RN5)”) which is signed by Apple’s “Developer ID Certification Authority”.
$ codesign -dvvvv Caprine-2.27.0.dmg 2>&1| grep Authority=
Authority=Developer ID Application: Sindre Sorhus (YG56YK5RN5)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
On Windows, there’s most likely no “Developer ID Certification Authority” certificate installed by default, hence the failure.
Windows build is signed if either WIN_CSC_LINK or CSC_LINK env var is set. CSC_LINK is set on CI. Travis CI logs show that electron-build is signing: dist/mac/Caprine.app, dist/win-unpacked/Caprine.exe, dist/win-unpacked/resources/elevate.exe, dist/.__uninstaller-nsis-caprine.exe, dist/Caprine Setup 2.27.1.exe
Alright, onto possible fixes (speculative fixes 😉):
Export the “Developer ID Certification Authority” cert together with the “Developer ID Application” cert to make sure the chain of trust is complete on Windows. I have no idea whether it would work, but if it did it would be the best scenario, being able to have Windows binaries signed.
Or: Disable code signing on Windows. It may be possible by adding a sign key to nsis build targetwin build option in package.json with a value that’s a path to a module which would export a no-op function. At least that’s what I gather from reading the electron-builder code…
The reason will be displayed to describe this comment to others. Learn more.
@CvX do you get any benefits (other than showing a publisher in SmartScreen) from signing the NSIS installer with the Apple certificate or is this more a bug that electron-builder picks up the Apple certificate when building the Windows installer using macOS?
The reason will be displayed to describe this comment to others. Learn more.
@lutzroeder I don't know any additional pros of signing on Windows. 😃 So yes, I'd say it's at the very least an unexpected feature (if not a bug 😉) of electron-builder.
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the Homebrew cask was not updated
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not maintaining that cask. Doesn't matter though, as even if you install an old version through Homebrew, Caprine will auto-update.
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Huh, really? I'm stuck on 2.26.0
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I often had issues with the updater. I'm currently investigating what's up with that. 🙂
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does the updater work?
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Caprine's using https://www.electron.build/auto-update to download new releases from Github.
It seems that 2.27.0 has an invalid sha512 checksum for
Caprine-2.27.0-mac.zip(but the one forCaprine-2.27.0.dmgis ok)In
latest-mac.ymlthe sha is:EGplD4inq6mJuJdDYEgSr9W69L2Pio8pGIVEg6ms2dQrw3AH9gMJ/xEGwQnJ0uSqrcautmHZvM/1BBTy+Yad7A==while the actual checksum is:
q24VNJ8XlfAY7yU7YXT/aZ7SX9OTRcq4y4MUE9bQFNWvZs14tIAwK0B6egvKdOgkXL+diHt7D/miAPUzJpOXUg==cc: @sindresorhus
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CvX Can you open an issue on https://github.com/electron-userland/electron-builder ?
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sindresorhus I'm still investigating this issue. When I get enough info I'll either submit a PR or open a new issue in electron-builder. 🙂
Btw. the checksum on the latest Caprine build (2.27.1) is correct. When I did
npm run dist(with both 2.27.0 and 2.27.1) the checksums were correct too. 🤔Anyway, here's another issue. This time on Windows (2.26.0 to 2.27.1):
The full log is here: https://gist.github.com/CvX/9af41b1cbbb5f8bb9215f4d288680d1d
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think Windows builds were ever signed. (?)
00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Turns out they are signed. 😅
Both Mac and Windows builds are signed using your Apple dev cert (“Developer ID Application: Sindre Sorhus (YG56YK5RN5)”) which is signed by Apple’s “Developer ID Certification Authority”.
Certificate validation on Windows fails because of “A certificate chain could not be built to a trusted root authority”.
On macOS the chain of trust is unbroken:
On Windows, there’s most likely no “Developer ID Certification Authority” certificate installed by default, hence the failure.
Windows build is signed if either
WIN_CSC_LINKorCSC_LINKenv var is set.CSC_LINKis set on CI.Travis CI logs show that electron-build is signing: dist/mac/Caprine.app, dist/win-unpacked/Caprine.exe, dist/win-unpacked/resources/elevate.exe, dist/.__uninstaller-nsis-caprine.exe, dist/Caprine Setup 2.27.1.exe
Alright, onto possible fixes (speculative fixes 😉):
WIN_CSC_LINKandWIN_CSC_KEY_PASSWORDon CIsignkey tonsisbuild targetwinbuild option in package.json with a value that’s a path to a module which would export a no-op function. At least that’s what I gather from reading the electron-builder code…00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@CvX do you get any benefits (other than showing a publisher in SmartScreen) from signing the NSIS installer with the Apple certificate or is this more a bug that
electron-builderpicks up the Apple certificate when building the Windows installer using macOS?00746cfThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lutzroeder I don't know any additional pros of signing on Windows. 😃 So yes, I'd say it's at the very least an unexpected feature (if not a bug 😉) of electron-builder.