Updater: New version is not signed by the application owner

[hpop]

• Version: 20.38.5

• Target: Windows (nsis)

I updated electron-builder from 20.28.4 to 20.38.5. The first update went fine for all users but if I release a new version now, I get this errors:

Sign verification failed, installer signed with incorrect certificate

[2019-02-05 19:07:57.073] [warn] Sign verification failed, installer signed with incorrect certificate: publisherNames: COMODO RSA Code Signing CA, raw info: {
 "SignerCertificate": {
   "FriendlyName": "",
   "IssuerName": {
     "Name": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
     "Oid": "System.Security.Cryptography.Oid"
   },
   "NotAfter": "/Date(1589587199000)/",
   "NotBefore": "/Date(1494892800000)/",
   "PrivateKey": null,
   "PublicKey": {
     "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
     "Oid": "System.Security.Cryptography.Oid",
     "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
     "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
   },
   "SerialNumber": "71548E6A1CA4A5D7D7412CD62DBF651B",
   "SignatureAlgorithm": {
     "Value": "1.2.840.113549.1.1.11",
     "FriendlyName": "sha256RSA"
   },
   "Thumbprint": "A24FD3FC559208E8D0CC40CB5E6F9461071D045A",
   "Version": 3,
   "Issuer": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
   "Subject": "CN=Helmut Poppen, OU=Kickertool, O=Helmut Poppen, POBox=13125, STREET=Pfannschmidtstr. 31, L=Berlin, S=Berlin, PostalCode=13125, C=DE"
 },
 "TimeStamperCertificate": {
   "Archived": false,
   "Extensions": [
     "System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
     "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
     "System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
     "System.Security.Cryptography.X509Certificates.X509Extension",
     "System.Security.Cryptography.X509Certificates.X509Extension",
     "System.Security.Cryptography.X509Certificates.X509Extension",
     "System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
     "System.Security.Cryptography.X509Certificates.X509Extension"
   ],
   "FriendlyName": "",
   "IssuerName": {
     "Name": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
     "Oid": "System.Security.Cryptography.Oid"
   },
   "NotAfter": "/Date(1609286399000)/",
   "NotBefore": "/Date(1350518400000)/",
   "HasPrivateKey": false,
   "PrivateKey": null,
   "PublicKey": {
     "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
     "Oid": "System.Security.Cryptography.Oid",
     "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
     "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
   },
   "SerialNumber": "0ECFF438C8FEBF356E04D86A981B1A50",
   "SubjectName": {
     "Name": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US",
     "Oid": "System.Security.Cryptography.Oid"
   },
   "SignatureAlgorithm": {
     "Value": "1.2.840.113549.1.1.5",
     "FriendlyName": "sha1RSA"
   },
   "Thumbprint": "65439929B67973EB192D6FF243E6767ADF0834E4",
   "Version": 3,
   "Handle": 1759233762864,
   "Issuer": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
   "Subject": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US"
 },
 "Status": 0,
 "StatusMessage": "Signature verified."
}

Error: Error: New version 2.0.0-beta7 is not signed by the application owner

[2019-02-05 19:07:57.088] [error] Error: Error: New version 2.0.0-beta7 is not signed by the application owner: publisherNames: COMODO RSA Code Signing CA, raw info: {
  "SignerCertificate": {
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1589587199000)/",
    "NotBefore": "/Date(1494892800000)/",
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "71548E6A1CA4A5D7D7412CD62DBF651B",
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.11",
      "FriendlyName": "sha256RSA"
    },
    "Thumbprint": "A24FD3FC559208E8D0CC40CB5E6F9461071D045A",
    "Version": 3,
    "Issuer": "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
    "Subject": "CN=Helmut Poppen, OU=Kickertool, O=Helmut Poppen, POBox=13125, STREET=Pfannschmidtstr. 31, L=Berlin, S=Berlin, PostalCode=13125, C=DE"
  },
  "TimeStamperCertificate": {
    "Archived": false,
    "Extensions": [
      "System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
      "System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509Extension",
      "System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
      "System.Security.Cryptography.X509Certificates.X509Extension"
    ],
    "FriendlyName": "",
    "IssuerName": {
      "Name": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "NotAfter": "/Date(1609286399000)/",
    "NotBefore": "/Date(1350518400000)/",
    "HasPrivateKey": false,
    "PrivateKey": null,
    "PublicKey": {
      "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
      "Oid": "System.Security.Cryptography.Oid",
      "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
      "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
    },
    "SerialNumber": "0ECFF438C8FEBF356E04D86A981B1A50",
    "SubjectName": {
      "Name": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US",
      "Oid": "System.Security.Cryptography.Oid"
    },
    "SignatureAlgorithm": {
      "Value": "1.2.840.113549.1.1.5",
      "FriendlyName": "sha1RSA"
    },
    "Thumbprint": "65439929B67973EB192D6FF243E6767ADF0834E4",
    "Version": 3,
    "Handle": 1759233762864,
    "Issuer": "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US",
    "Subject": "CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US"
  },
  "Status": 0,
  "StatusMessage": "Signature verified."
}

You can find the previous version here: 2.0.0-beta6
It will try to update to 2.0.0-beta7 and will fail.

Thanks for you great work!

[hpop]

After some investigation, I think I may have found the problem.

As far as I see it, the signature verification works by checking the publisher name against the subject name in the certificate. The publisher name is either given in the configuration (win.publisherName) or is set while building from the given certificate.

Because I did not set the publisherName in the config, is was set during packaging. The problem is: It is set to the issuer name and not the subject name of the certificate. This leads to a failed verification while updating.

My fix was setting the publisherName in config:

"win": {
  "publisherName": ["Helmut Poppen"],
  "target": ["nsis"]
},

My problem is now: How do I get old versions to update? Is there any way to disable certificate validation remotely? Any ideas?

[DrifterAtSea]

Regarding hpop's fix about putting the publisherName in the package.json file. I found that this is a MUST. Even though the initial publication uses the certificate, any further updates will fail under Windows if this publisherName is not in the package.json file. I have seen other posts that have indicated that when they removed the publisherName that it fixed the problem. But this really doesn't seem to be the case for the latest version of Electron and Electron Builder.

Either document this or fix the autoUpdater to properly handle it if the publisherName is missing.

On a somewhat related note: I also noticed that my updates would also fail if I deleted the release version that I posted in github that was the same version installed. I was under the impression that all you needed was the newer release on github. This is not so. You need to maintain ALL release versions on github. Of course this is bad since you don't want users to manually downloaded outdated versions that could even have security issues. What I discovered is that although you cannot delete the older releases, you can delete the setup.exe or zip files that are in those releases. You must however keep the blockmap file. Personally I find the way this updater works rather bad. You shouldn't have to maintain any information about older versions. A properly designed updater simply looks at the version installed and the latest version available and decides to update the installed version if the published version is newer. No need to maintain information on the older versions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Kilian]

Just got this too. The publisherName remains empty and then it checks against the issuer name, not the subject. That's very unfortunate!

Edit: This happens when creating the app-update.yml file. This is where it gets set incorrectly:

electron-builder/packages/app-builder-lib/src/winPackager.ts

Line 91 in d451308

return certInfo == null ? null : [certInfo.commonName]

though it does look like it's trying to get the subjects CN:

electron-builder/packages/app-builder-lib/src/winPackager.ts

Line 103 in d451308

commonName: parseDn(bloodyMicrosoftSubjectDn).get("CN")!!,

but that gets ends up being the wrong value.

@develar what would be the right change to make for this?

[jeetparikh]

@hpop were you able to sort this out for your old builds? I have a similar albeit a bit different issue. We had not set the publisher name as well so it picked up from the certificate which is now expired. The new certificate is now issued under a different name as our org name has changed. Now when we try to push an update signed with the new certificate the auto-update does not work and debugging that shows this error Sign Verification failed: installer signed with incorrect certificate: publishernames' 'New version is not signed by the application owner. I am not sure how to get around this as our update is being delayed due to this and badly need to sort it out. Your help is much appreicated! thanks

[hpop]

Honestly, I don't remember how or if I managed to fix it. Maybe this helps you: #6499

[jeetparikh]

awesome thanks @hpop .. I had come across similar solutions.. the only problem we have is our old cert with old publisher name is expired. So can't sign apps with that.. But I suspect I will have to get/renew the cert with old publisher.