Electron-builder: Sign Verification Failed and Not Signed By the Application Owner

Created on 11 Aug 2017 · 13Comments · Source: electron-userland/electron-builder

"electron-builder": "^19.19.1",

"electron-updater": "^2.8.6",

Windows

Updates are succeeding on my development machine, but failing on other machines after downloading the update. I've included the errors from my log file at the end of this post. I've read a number of other issues where similar problems are raised but none of them seem to apply to my situation. I tried adding the following to my package.json but that did not help.

"win": {
"verifyUpdateCodeSignature": false,
"publisherName": "Harbour Software Pty Ltd"
}

Obviously the app installs initially without any problems with the code signing. Why is the update failing?

[2017-08-11 10:35:26:0647] [info] Sign verification failed, installer signed with incorrect certificate: {
"SignerCertificate": {
"FriendlyName": "",
"IssuerName": {
"Name": "CN=56E7E84D-7F15-45F6-BA32-A644DE395803",
"Oid": "System.Security.Cryptography.Oid"
},
"NotAfter": "/Date(1506010435000)/",
"NotBefore": "/Date(1474452835000)/",
"PrivateKey": null,
"PublicKey": {
"Key": "System.Security.Cryptography.RSACryptoServiceProvider",
"Oid": "System.Security.Cryptography.Oid",
"EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
"EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
},
"SerialNumber": "1C7F53D55536FD874F8582924E6F7988",
"SignatureAlgorithm": {
"Value": "1.2.840.113549.1.1.11",
"FriendlyName": "sha256RSA"
},
"Thumbprint": "6D85F86F3C2E1DB768A65FF2E526D4E64F495AF2",
"Version": 3,
"Issuer": "CN=56E7E84D-7F15-45F6-BA32-A644DE395803",
"Subject": "CN=56E7E84D-7F15-45F6-BA32-A644DE395803"
},
"TimeStamperCertificate": {
"Archived": false,
"Extensions": [
"System.Security.Cryptography.X509Certificates.X509Extension",
"System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
"System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
"System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
"System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
"System.Security.Cryptography.X509Certificates.X509Extension",
"System.Security.Cryptography.X509Certificates.X509Extension"
],
"FriendlyName": "",
"IssuerName": {
"Name": "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US",
"Oid": "System.Security.Cryptography.Oid"
},
"NotAfter": "/Date(1562697636000)/",
"NotBefore": "/Date(1451520000000)/",
"HasPrivateKey": false,
"PrivateKey": null,
"PublicKey": {
"Key": "System.Security.Cryptography.RSACryptoServiceProvider",
"Oid": "System.Security.Cryptography.Oid",
"EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
"EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
},
"SerialNumber": "4EB0878FCC243536B2D8C9F7BF395577",
"SubjectName": {
"Name": "CN=COMODO SHA-256 Time Stamping Signer, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
"Oid": "System.Security.Cryptography.Oid"
},
"SignatureAlgorithm": {
"Value": "1.2.840.113549.1.1.11",
"FriendlyName": "sha256RSA"
},
"Thumbprint": "36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA",
"Version": 3,
"Handle": 1714514108944,
"Issuer": "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US",
"Subject": "CN=COMODO SHA-256 Time Stamping Signer, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB"
},
"Status": 1,
"StatusMessage": "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
}
[2017-08-11 10:35:26:0768] [error] Error: Error: New version 0.51.0 is not signed by the application owner: {
"SignerCertificate": {
"FriendlyName": "",
"IssuerName": {
"Name": "CN=56E7E84D-7F15-45F6-BA32-A644DE395803",
"Oid": "System.Security.Cryptography.Oid"
},
"NotAfter": "/Date(1506010435000)/",
"NotBefore": "/Date(1474452835000)/",
"PrivateKey": null,
"PublicKey": {
"Key": "System.Security.Cryptography.RSACryptoServiceProvider",
"Oid": "System.Security.Cryptography.Oid",
"EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
"EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
},
"SerialNumber": "1C7F53D55536FD874F8582924E6F7988",
"SignatureAlgorithm": {
"Value": "1.2.840.113549.1.1.11",
"FriendlyName": "sha256RSA"
},
"Thumbprint": "6D85F86F3C2E1DB768A65FF2E526D4E64F495AF2",
"Version": 3,
"Issuer": "CN=56E7E84D-7F15-45F6-BA32-A644DE395803",
"Subject": "CN=56E7E84D-7F15-45F6-BA32-A644DE395803"
},
"TimeStamperCertificate": {
"Archived": false,
"Extensions": [
"System.Security.Cryptography.X509Certificates.X509Extension",
"System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension",
"System.Security.Cryptography.X509Certificates.X509KeyUsageExtension",
"System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension",
"System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension",
"System.Security.Cryptography.X509Certificates.X509Extension",
"System.Security.Cryptography.X509Certificates.X509Extension"
],
"FriendlyName": "",
"IssuerName": {
"Name": "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US",
"Oid": "System.Security.Cryptography.Oid"
},
"NotAfter": "/Date(1562697636000)/",
"NotBefore": "/Date(1451520000000)/",
"HasPrivateKey": false,
"PrivateKey": null,
"PublicKey": {
"Key": "System.Security.Cryptography.RSACryptoServiceProvider",
"Oid": "System.Security.Cryptography.Oid",
"EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
"EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
},
"SerialNumber": "4EB0878FCC243536B2D8C9F7BF395577",
"SubjectName": {
"Name": "CN=COMODO SHA-256 Time Stamping Signer, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB",
"Oid": "System.Security.Cryptography.Oid"
},
"SignatureAlgorithm": {
"Value": "1.2.840.113549.1.1.11",
"FriendlyName": "sha256RSA"
},
"Thumbprint": "36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA",
"Version": 3,
"Handle": 1714514108944,
"Issuer": "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US",
"Subject": "CN=COMODO SHA-256 Time Stamping Signer, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB"
},
"Status": 1,
"StatusMessage": "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"
}
at C:\Users\david\AppData\Local\Programs\au.com.harboursoftware.docsontapv2\resources\app.asar\node_modules\electron-updater\src\NsisUpdater.ts:73:13
at Generator.next ()
at FSReqWrap.CB [as oncomplete] (C:\Users\david\AppData\Local\Programs\au.com.harboursoftware.docsontapv2\resources\app.asar\node_modules\fs-extra\lib\remove\rimraf.js:57:5)
From previous event:
at NsisUpdater.doDownloadUpdate (C:\Users\david\AppData\Local\Programs\au.com.harboursoftware.docsontapv2\resources\app.asar\node_modules\electron-updater\out\NsisUpdater.js:134:11)
at C:\Users\david\AppData\Local\Programs\au.com.harboursoftware.docsontapv2\resources\app.asar\node_modules\electron-updater\src\AppUpdater.ts:274:25
at Generator.next ()
From previous event:
at NsisUpdater.downloadUpdate (C:\Users\david\AppData\Local\Programs\au.com.harboursoftware.docsontapv2\resources\app.asar\node_modules\electron-updater\out\AppUpdater.js:325:11)
at Function. (C:\Users\david\AppData\Local\Programs\au.com.harboursoftware.docsontapv2\resources\app.asar\electron.js:96:29)

invalid windows

Source

daveywc

👍3

Most helpful comment

So - one thing I ran into regarding the signing error was that I was manually defining the publisherName in the package.json - and the documentation states it will pull this from the certificate. When I removed the publisherName from the package it correctly updated. Best of luck!

I was also using a purchased Comodo certificate.

paulprins on 28 Jun 2018

👍4 ❤1 🎉1 👎1

All 13 comments

"Status": 1,
"StatusMessage": "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"

Seems like the people that are trying to install the update don't have all needed certificates in their TrustStore. They need to install the complete certificate chain.

Check the signing certificate that is install on the client pc.
An image like the following would result to a problematic certificate validation.

MariaDima on 11 Aug 2017

don't have all needed certificates in their TrustStore.

... and it means that your cert was issued by not trusted vendor. i.e. MS doesn't add your certificate authority to default bundled trusted authorities.

develar on 11 Aug 2017

👍1

Thanks for the replies. However I don't see how the problem can be with the certificate for the following reasons:

I purchased the code signing certificate from Comodo - so it is a genuine paid for code signing certificate.
When I do the initial application installation there are no complaints from Windows about the code signing certificate.
Surely you cannot be telling me that I have to manually install the certificate chain on each users PC.

Could the problem be something similar to that detailed here: https://support.comodo.com/index.php?/Knowledgebase/Article/View/805
and here https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=SO21771&actp=RSS&viewlocale=en_US

@develar I am happy to give you access to my code base on GitHub if you want to test this for yourself.

Kind regards,

David

daveywc on 12 Aug 2017

👍1

Yeach, that strange for me too. Your app executable installer will be enough for me to investigate.

develar on 13 Aug 2017

@develar you can download the installer from ~downloded~

The link above does not seem to work when clicked from within this GitHub issue. However it does work if you copy and paste it into your browser address bar.

Thanks for looking into this.

daveywc on 15 Aug 2017

Same issue here for the first time with same certificate and production release procedure.

Unhandled rejection Error: New version 0.16.0 is not signed by the application owner: {
 "SignerCertificate": {
   "FriendlyName": "",
   "IssuerName": {
     "Name": "CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE",
     "Oid": "System.Security.Cryptography.Oid"
   },
   "NotAfter": "/Date(1532601087000)/",
   "NotBefore": "/Date(1500978687000)/",
   "PrivateKey": null,
   "PublicKey": {
     "Key": "System.Security.Cryptography.RSACryptoServiceProvider",
     "Oid": "System.Security.Cryptography.Oid",
     "EncodedKeyValue": "System.Security.Cryptography.AsnEncodedData",
     "EncodedParameters": "System.Security.Cryptography.AsnEncodedData"
   },
   "SerialNumber": "22434E323755D4291B7713C8",
   "SignatureAlgorithm": {
     "Value": "1.2.840.113549.1.1.11",
     "FriendlyName": "sha256RSA"
   },
   "Thumbprint": "AE4C9C46E8B33789C984BB9DE1EFB4723BEF9ABE",
   "Version": 3,
   "Issuer": "CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE",
   "Subject": "CN=Blacknut SAS, O=Blacknut SAS, L=Rennes, S=Ille-et-Vilaine, C=FR, OID.1.3.6.1.4.1.311.60.2.1.3=FR, SERIALNUMBER=817 885 049, OID.2.5.4.15=Private Organization"
 },
 "TimeStamperCertificate": null,
 "Status": 0,
 "StatusMessage": "Signature v´┐¢rifi´┐¢e."
}
   at C:\Program Files (x86)\Blacknut\resources\app.asar\node_modules\electron-updater\src\NsisUpdater.ts:66:13

raphael22 on 16 Aug 2017

@develar Just wondering if you've had a chance to investigate this issue.

daveywc on 18 Aug 2017

@develar Just wondering if you've had a chance to investigate this issue.

daveywc on 22 Aug 2017

@daveywc

C:\Users\develar>C:\Users\develar\Desktop\signtool.exe verify "C:\Users\develar\Desktop\Docs On Tap V2 Setup 0.51.0.exe"
File: C:\Users\develar\Desktop\Docs On Tap V2 Setup 0.51.0.exe
Index  Algorithm  Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of errors: 1

PS C:\Users\develar> Get-AuthenticodeSignature "C:\Users\develar\Desktop\Docs On Tap V2 Setup 0.51.0.exe"


    Directory: C:\Users\develar\Desktop


SignerCertificate                         Status                                 Path
-----------------                         ------                                 ----
6D85F86F3C2E1DB768A65FF2E526D4E64F495AF2  UnknownError                           Docs On Tap V2 Setup 0.51.0.exe

screen shot 2017-08-22 at 15 20 51

Your app is not signed correctly. Feel free to contact me directly using Slack to provide build logs privately.

develar on 22 Aug 2017

I am experiencing the same on 19.28.4 the signtool verified the certificate and the Get-AuthenticodeSignature verified it as well yet the autoupdater throws the same error. Also @develar the signtool you used on cheap code signing certs will throw that error run it with /pa option.