[bug] tauri V2 updater InvalidSignature

[heiyehk]

Describe the bug

When I use the updater function, it has triggered the check. Then I use update.downloadAndInstall and the download completes, but the error Uncaught (in promise) InvalidSignature is returned. I first used the release address of github, and then I used a separate https domain name to test, but the same error was reported.

Reproduction

No response

Expected behavior

No response

Full tauri info output

[✔] Environment
    - OS: Windows 10.0.22631 X64
    ✔ WebView2: 123.0.2420.97
    ✔ MSVC: Visual Studio Enterprise 2022
    ✔ rustc: 1.76.0 (07dca489a 2024-02-04)
    ✔ cargo: 1.76.0 (c84b36747 2024-01-18)
    ✔ rustup: 1.27.0 (bbb9276d2 2024-03-08)
    ✔ Rust toolchain: stable-x86_64-pc-windows-msvc (default)
    - node: 20.9.0
    - pnpm: 8.15.4
    - yarn: 1.22.22
    - npm: 10.1.0

[-] Packages
    - tauri [RUST]: 2.0.0-beta.16
    - tauri-build [RUST]: 2.0.0-beta.13
    - wry [RUST]: 0.39.2
    - tao [RUST]: 0.27.1
    - @tauri-apps/api [NPM]: 2.0.0-beta.6
    - @tauri-apps/cli [NPM]: 2.0.0-beta.10

[-] App
    - build-type: bundle
    - CSP: default-src 'self' customprotocol: asset:; style-src 'unsafe-inline' 'self' 'nonce-10500982406343687894' 'nonce-9786197052427597798'; connect-src ipc: http://ipc.localhost ws:; script-src 'self' 'unsafe-eval' 'sha256-f2aYrerT20WDJlPe3kdN3JfQlyKoRxP33xkWfDbeO9I=' 'sha256-GFebPxKzs1UkFRCbyMaykyYD7rGVWnt1zk1m6r+ZTWQ=' 'sha256-iUqSk0LHeoYfdwsQNbveDMYkU7Tq/OmyauSlE3snBuc='; font-src https://fonts.gstatic.com http://tauri.localhost; img-src 'self' blob: data: http: https: asset: http://asset.localhost
    - frontendDist: ../dist
    - devUrl: http://localhost:1420/
    - framework: Vue.js
    - bundler: Vite

Stack trace

No response

Additional context

No response

[FabianLars]

Can you double check whether the private key you used to sign the updater bundle (that generated the .sig file) belongs to the pubkey defined in tauri.conf.json? And also check whether the "signature" field in the server json is the full content of the .sig file that belongs to the updater bundle your server hosts (the .sig file changes every time you re-build your app!)

[heiyehk]

Can you double check whether the private key you used to sign the updater bundle (that generated the .sig file) belongs to the pubkey defined in tauri.conf.json? And also check whether the "signature" field in the server json is the full content of the .sig file that belongs to the updater bundle your server hosts (the .sig file changes every time you re-build your app!)

I found this problem, I configured it in tauri.config.json

        "wix": {
          "language": [
            "zh-CN",
            "en-US"
          ]
        }

Then the signature of the generated latest.json is zh-CN, but the updated package is en-US. And there is only one language update package in latest.json, and signature does not correspond to it. How should I deal with this?

[ankitvermaAT]

I am following below steps

1. run : npm run tauri signer generate

2. Got public and private keys

3. Put public key in tauri.config.json (pubkey) node

4. Put private key in system environment variable using cmd: set TAURI_PRIVATE_KEY=

5. cmd : npm run tauri build

Got updated build (myapp_1.0.2_x64_en-US.msi.zip) and .mis.zip.sig files

6. Upload .mis.zip on server and update signature value in server json which is inside (.mis.zip.sig)

Because I have my old version build i.e. 1.0.1 run this app and got that error (Verify signature error: UnexpectedKeyId)

Now please suggest where I had done mistake in the process..

I had used below packages:

"dependencies": { "@tauri-apps/api": "^1.5.2", "axios": "^1.6.7", "react": "^18.2.0", "react-dom": "^18.2.0", "react-router-dom": "^6.22.1" }, "devDependencies": { "@tauri-apps/cli": "^1.5.8", "@types/react": "^18.2.15", "@types/react-dom": "^18.2.7", "@vitejs/plugin-react": "^4.2.1", "typescript": "^5.0.2", "vite": "^5.0.0" }

=================

tauri.config.json { "$schema": "../node_modules/@tauri-apps/cli/schema.json", "build": { "beforeDevCommand": "npm run dev", "beforeBuildCommand": "npm run build", "devPath": "http://localhost:1420", "distDir": "../dist" }, "package": { "productName": "myapp", "version": "1.0.2" }, "tauri": { "allowlist": { "all": false, "shell": { "all": false, "open": true } }, "windows": [ { "decorations": true, "maximized": true, "closable": true, "minimizable": true, "maximizable": true, "resizable": true, "fullscreen": false, "minWidth": 800, "minHeight": 600, "visible": false, "title": "myapp" }, { "maximized": true, "closable": true, "minimizable": true, "maximizable": true, "resizable": true, "fullscreen": false, "minWidth": 800, "minHeight": 600, "decorations": true, "title": "myapp", "url": "splashscreen.html", "label": "splashscreen" } ], "security": { "csp": null }, "bundle": { "active": true, "targets": "all", "identifier": "my-app", "publisher": "my app", "shortDescription": "my app", "category": "cricket", "copyright": "Copyright © 2024 myapp", "icon": [ "icons/32x32.png", "icons/128x128.png", "icons/128x128@2x.png", "icons/icon.ico" ], "windows": { "webviewInstallMode": { "type": "offlineInstaller" }, "certificateThumbprint": "bc2404889120b9f130ff5iouubbaad69b8c5aa46", "digestAlgorithm": "sha256", "timestampUrl": "http://timestamp.digicert.com", "tsp": false } }, "updater": { "active": true, "endpoints": [ "https://domain/windows/x86_64/1.0.1" ], "dialog": true, "pubkey": "dW50cnVzdGVkomlkio1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDY4OTQ4NzY5MzNBQjNCMjYKUldRbU82c3phWWVVYUY5SmFFZ21CaTk4T1lGMHA1dlVZUXlWZmFSUkpQclJQUVRNSzY3dTROUDcK", "windows": { "installMode": "passive" } } } }