Unable to to update with updater due to UnexpectedKeyId

[don41382]

I spend a whole day, trying to figure out, what is going on. And finally - I hope - I found the issue.

I was trying to update my app on Mac, which always returned a "UnexpectedKeyId". This sounded for me like a wrong signature. I thought, I used the wrong TAURI_SIGNING_PRIVATE_KEY or TAURI_SIGNING_PRIVATE_KEY_PASSWORD. But everything seem to be correct. The tauri.conf.json is configured to my github project https://github.com/<user>/<app>/releases/latest/download/latest.json.

After checking my Windows updates, there seemed to be no issue at all. So it can't be the keys. I started my own local server, created a latest.json and used the my_app_universal.app.tar.gz.sig as my signature and it worked on mac too.

So it looks like the signature of the darwin-aarch64 inside of the latest.json is not matching with the my_app_universal.app.tar.gz.sig. They are different.

Am I configuring something wrong or is this a bug?

I am using

• tauri-apps/tauri-action@v0
• tauri-plugin-updater = "2.0.2"
• tauri 2.0.6

[FabianLars]

can you share your tauri-action config? And maybe also the list of uploaded assets 🤔

Were you able to find the matching .sig file (that was used in latest.json)?

[don41382]

Hi Fabian, of course. Here it is:

      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.MINUTE_MOTION_RELEASE_REPO_GITHUB_SECRET }}
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_DEVELOPMENT }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: "Apple Development: XXXX"
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
        with:
          tagName: app-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
          releaseName: "__VERSION__"
          releaseBody: "See the assets to download this version and install."
          releaseDraft: true
          prerelease: false
          updaterJsonKeepUniversal: true
          releaseCommitish: "main"
          owner: "user"
          repo: "repo-releases"
          args: ${{ matrix.args }} 

Were you able to find the matching .sig file (that was used in latest.json)?

Yes, I build my own backend, which delivers the latest.json and does the correct wiring for the signatures. In needed this anyway to be able to identify beta users.

[FabianLars]

updaterJsonKeepUniversal is a bit suspicious here, if this is set then darwin-aarch64 and darwin-x86_64 will not be updated with the universal build anymore. If latest.json still contains those 2 fields they should be from a prior run when that config was not yet set.

[FabianLars]

okay no, something is broken. If i first run the ci without the config, then re-run it with the config (targeting the same release), something breaks. If i run it with the config without an existing release to overwrite the json is correct (though still writing all 3 fields, not sure if that's how i intended it back then)

[don41382]

Thanks Fabian for checking in!