Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Updater: New version is not signed by the application owner

See original GitHub issue
  • Version: 20.38.5
  • Target: Windows (nsis)

I updated electron-builder from 20.28.4 to 20.38.5. The first update went fine for all users but if I release a new version now, I get this errors:

Sign verification failed, installer signed with incorrect certificate 
[2019-02-05 19:07:57.073] [warn] Sign verification failed, installer signed with incorrect certificate: publisherNames: COMODO RSA Code Signing CA, raw info: {
 "SignerCertificate": {
   "FriendlyName": "",
   "IssuerName": {
     "Name": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
     "Oid": "System.Security.Cryptography.Oid"
   },
   "NotAfter": "/Date(1589587199000)/",
   "NotBefore": "/Date(1494892800000)/",
   "PrivateKey": null,
   "PublicKey": {
     "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
     "Oid": "System.Security.Cryptography.Oid",
     "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
     "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
   },
   "SerialNumber": "71548E6A1CA4A5D7D7412CD62DBF651B",
   "SignatureAlgorithm": {
     "Value": "1.2.840.113549.1.1.11",
     "FriendlyName": "sha256RSA"
   },
   "Thumbprint": "A24FD3FC559208E8D0CC40CB5E6F9461071D045A",
   "Version": 3,
   "Issuer": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
   "Subject": "CN=Helmut Poppen, OU=Kickertool, O=Helmut Poppen, POBox=13125, STREET=Pfannschmidtstr. 31, L=Berlin, S=Berlin, PostalCode=13125, C=DE"
 },
 "TimeStamperCertificate": {
   "Archived": false,
   "Extensions": [
     "System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
     "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
     "System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
     "System.Security.Cryptography.X509Certificates.X509Extension",
     "System.Security.Cryptography.X509Certificates.X509Extension",
     "System.Security.Cryptography.X509Certificates.X509Extension",
     "System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
     "System.Security.Cryptography.X509Certificates.X509Extension"
   ],
   "FriendlyName": "",
   "IssuerName": {
     "Name": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
     "Oid": "System.Security.Cryptography.Oid"
   },
   "NotAfter": "/Date(1609286399000)/",
   "NotBefore": "/Date(1350518400000)/",
   "HasPrivateKey": false,
   "PrivateKey": null,
   "PublicKey": {
     "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
     "Oid": "System.Security.Cryptography.Oid",
     "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
     "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
   },
   "SerialNumber": "0ECFF438C8FEBF356E04D86A981B1A50",
   "SubjectName": {
     "Name": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US",
     "Oid": "System.Security.Cryptography.Oid"
   },
   "SignatureAlgorithm": {
     "Value": "1.2.840.113549.1.1.5",
     "FriendlyName": "sha1RSA"
   },
   "Thumbprint": "65439929B67973EB192D6FF243E6767ADF0834E4",
   "Version": 3,
   "Handle": 1759233762864,
   "Issuer": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
   "Subject": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US"
 },
 "Status": 0,
 "StatusMessage": "Signature verified."
}
Error: Error: New version 2.0.0-beta7 is not signed by the application owner 
[2019-02-05 19:07:57.088] [error] Error: Error: New version 2.0.0-beta7 is not signed by the application owner: publisherNames: COMODO RSA Code Signing CA, raw info: {
  "SignerCertificate": {
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1589587199000)/",
    "NotBefore": "/Date(1494892800000)/",
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "71548E6A1CA4A5D7D7412CD62DBF651B",
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.11",
      "FriendlyName": "sha256RSA"
    },
    "Thumbprint": "A24FD3FC559208E8D0CC40CB5E6F9461071D045A",
    "Version": 3,
    "Issuer": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
    "Subject": "CN=Helmut Poppen, OU=Kickertool, O=Helmut Poppen, POBox=13125, STREET=Pfannschmidtstr. 31, L=Berlin, S=Berlin, PostalCode=13125, C=DE"
  },
  "TimeStamperCertificate": {
    "Archived": false,
    "Extensions": [
      "System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
      "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension"
    ],
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1609286399000)/",
    "NotBefore": "/Date(1350518400000)/",
    "HasPrivateKey": false,
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "0ECFF438C8FEBF356E04D86A981B1A50",
    "SubjectName": {
      "Name": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.5",
      "FriendlyName": "sha1RSA"
    },
    "Thumbprint": "65439929B67973EB192D6FF243E6767ADF0834E4",
    "Version": 3,
    "Handle": 1759233762864,
    "Issuer": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
    "Subject": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US"
  },
  "Status": 0,
  "StatusMessage": "Signature verified."
}

You can find the previous version here: 2.0.0-beta6 It will try to update to 2.0.0-beta7 and will fail.

Thanks for you great work!

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:7 (1 by maintainers)

github_iconTop GitHub Comments

11reactions
hpopcommented, Feb 13, 2019

After some investigation, I think I may have found the problem.

As far as I see it, the signature verification works by checking the publisher name against the subject name in the certificate. The publisher name is either given in the configuration (win.publisherName) or is set while building from the given certificate.

Because I did not set the publisherName in the config, is was set during packaging. The problem is: It is set to the issuer name and not the subject name of the certificate. This leads to a failed verification while updating.

My fix was setting the publisherName in config:

"win": {
  "publisherName": ["Helmut Poppen"],
  "target": ["nsis"]
},

My problem is now: How do I get old versions to update? Is there any way to disable certificate validation remotely? Any ideas?

5reactions
JohannBlakecommented, Apr 14, 2019

Regarding hpop’s fix about putting the publisherName in the package.json file. I found that this is a MUST. Even though the initial publication uses the certificate, any further updates will fail under Windows if this publisherName is not in the package.json file. I have seen other posts that have indicated that when they removed the publisherName that it fixed the problem. But this really doesn’t seem to be the case for the latest version of Electron and Electron Builder.

Either document this or fix the autoUpdater to properly handle it if the publisherName is missing.

On a somewhat related note: I also noticed that my updates would also fail if I deleted the release version that I posted in github that was the same version installed. I was under the impression that all you needed was the newer release on github. This is not so. You need to maintain ALL release versions on github. Of course this is bad since you don’t want users to manually downloaded outdated versions that could even have security issues. What I discovered is that although you cannot delete the older releases, you can delete the setup.exe or zip files that are in those releases. You must however keep the blockmap file. Personally I find the way this updater works rather bad. You shouldn’t have to maintain any information about older versions. A properly designed updater simply looks at the version installed and the latest version available and decides to update the installed version if the published version is newer. No need to maintain information on the older versions.

Read more comments on GitHub >

github_iconTop Results From Across the Web

electron-updater error in production New version is not signed ...
The error is present in production only (when the app is installed via .exe installer). No error in 'preview mode'.
Read more >
iOS 16 - Apple
iOS 16 brings all-new personalized Lock Screens, Focus filters, Shared Photo Library, and game-changing messaging features to iPhone.
Read more >
Check & update your Android version - Google Support
Open your phone's Settings app. Near the bottom, tap About phone and then Android version. Find your "Android version," "Android security update," and...
Read more >
Emergency Rental Assistance Program (ERAP)
November 22, 2022 Important Update for ERAP Applicants ... Applicants who previously started, but did not complete, sign and submit an application, ...
Read more >
Duo Universal Prompt Update Guide
Create a new custom factor-only IdP in Okta Classic or Okta Identity Engine for Duo authentication using OIDC and apply it to your...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

FSevent binaries not found

Next page

Desktop file for Linux not generated with AppImage