You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After debugging why our app was not auto updating after getting a new code signing certificate I discovered the Subject's name that is then used as the Publisher-Name was not correct.
My certificate path is the following:
Sectigo(AAA)
2. USERTrust RSA Cert Authority - Comdo CA Limited
3. Sectigo RSA Code Signing CA - the USERTRUST Network
4. Nexus Dev LLC {That us}
Digging through the app-builder code I discovered what was the issue.
When the certificate is read, it goes down the tree and gets the first cert that has ExtKeyUsageCodeSigning then returns that one. However, the 3rd cert, Sectigo RSA Code Signing, is marked with that usage and then gets returned. This caused a huge issue as now the auto update is using the 4th but since app-update.yml is using the 3rd, the update verification fails. The code that checks the update's certificate and the code that generates the app-update do not use the same method and a mismatch occurs.
I am not sure this is a solution that will work for everyone but does for me. Since the 3rd is a CA, I do a logic check for isCA.
for _, cert := range certificates { for _, usage := range cert.ExtKeyUsage { if usage == x509.ExtKeyUsageCodeSigning { if cert.IsCA == false { firstCert = cert break certLoop } } } }
I understand that manually setting publisher-name is better, and that has already been done, but I think some additional logic could be used to better verify the correct certificate is used considering how important code signing is.
The text was updated successfully, but these errors were encountered:
After debugging why our app was not auto updating after getting a new code signing certificate I discovered the Subject's name that is then used as the Publisher-Name was not correct.
My certificate path is the following:
2. USERTrust RSA Cert Authority - Comdo CA Limited
3. Sectigo RSA Code Signing CA - the USERTRUST Network
4. Nexus Dev LLC {That us}
Digging through the app-builder code I discovered what was the issue.
When the certificate is read, it goes down the tree and gets the first cert that has
ExtKeyUsageCodeSigningthen returns that one. However, the 3rd cert, Sectigo RSA Code Signing, is marked with that usage and then gets returned. This caused a huge issue as now the auto update is using the 4th but since app-update.yml is using the 3rd, the update verification fails. The code that checks the update's certificate and the code that generates the app-update do not use the same method and a mismatch occurs.I am not sure this is a solution that will work for everyone but does for me. Since the 3rd is a CA, I do a logic check for
isCA.I understand that manually setting publisher-name is better, and that has already been done, but I think some additional logic could be used to better verify the correct certificate is used considering how important code signing is.
The text was updated successfully, but these errors were encountered: