Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error incorrect updater private key password: Missing comment in secret key #658

Open
MasterKrab opened this issue Jan 1, 2024 · 23 comments

Comments

@MasterKrab
Copy link

MasterKrab commented Jan 1, 2024

I'm building my app with the updater. I already tried putting a password or not, and it keeps giving me that error in the action, but locally, it works.

  Bundling PenguinWriter.app (/Users/runner/work/Penguin-Writer/Penguin-Writer/src-tauri/target/release/bundle/macos/PenguinWriter.app)
    Bundling PenguinWriter_1.0.0_x64.dmg (/Users/runner/work/Penguin-Writer/Penguin-Writer/src-tauri/target/release/bundle/dmg/PenguinWriter_1.0.0_x64.dmg)
     Running bundle_dmg.sh
    Bundling /Users/runner/work/Penguin-Writer/Penguin-Writer/src-tauri/target/release/bundle/macos/PenguinWriter.app.tar.gz (/Users/runner/work/Penguin-Writer/Penguin-Writer/src-tauri/target/release/bundle/macos/PenguinWriter.app.tar.gz)
    Finished 2 bundles at:
        /Users/runner/work/Penguin-Writer/Penguin-Writer/src-tauri/target/release/bundle/macos/PenguinWriter.app
        /Users/runner/work/Penguin-Writer/Penguin-Writer/src-tauri/target/release/bundle/dmg/PenguinWriter_1.0.0_x64.dmg
        /Users/runner/work/Penguin-Writer/Penguin-Writer/src-tauri/target/release/bundle/macos/PenguinWriter.app.tar.gz (updater)

       Error incorrect updater private key password: Missing comment in secret key
 ELIFECYCLE  Command failed with exit code 1.
Error: Command failed with exit code 1: pnpm tauri build

https://github.com/MasterKrab/Penguin-Writer/actions/runs/7379835021/job/20076548977

@FabianLars
Copy link
Member

Hmm, i'm pretty sure this can only happen if the key and/or password you saved in the github settings is different from the one(s) you use locally.
Or really rarely, if one environment uses a vastly different tauri-cli version (in case your node_modules folder is still from the npm install you got the package-lock.json file from for example.

@MasterKrab
Copy link
Author

Hmm, i'm pretty sure this can only happen if the key and/or password you saved in the github settings is different from the one(s) you use locally. Or really rarely, if one environment uses a vastly different tauri-cli version (in case your node_modules folder is still from the npm install you got the package-lock.json file from for example.

I deleted node_modules, ran pnpm install, set the password to empty, and checked the keys, but the issue persists.

@FabianLars
Copy link
Member

Hmm, i looked through our discord where others reported a similar issue but all of them fixed it by either setting the secrets again (cause of a simple type or something) or by regenerating them completely.

I really can't think of anything else either. It still works for me and my keys are also super old (generated with 1.0 or 1.1 iirc) so i'm completely lost tbh.

@linpan
Copy link

linpan commented Jan 10, 2024

me too tauri/target/release/bundle/macos/PagePatrol.app.tar.gz)
Finished 2 bundles at:
/Users/runner/work/pagepatrol/pagepatrol/src-tauri/target/release/bundle/macos/PagePatrol.app
/Users/runner/work/pagepatrol/pagepatrol/src-tauri/target/release/bundle/dmg/PagePatrol_0.1.0_x64.dmg
/Users/runner/work/pagepatrol/pagepatrol/src-tauri/target/release/bundle/macos/PagePatrol.app.tar.gz (updater)

   Error incorrect updater private key password: Missing comment in secret key

info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
error Command failed with exit code 1.
Error: Command failed with exit code 1: yarn tauri build

@linpan
Copy link

linpan commented Jan 10, 2024

Hmm, i'm pretty sure this can only happen if the key and/or password you saved in the github settings is different from the one(s) you use locally. Or really rarely, if one environment uses a vastly different tauri-cli version (in case your node_modules folder is still from the npm install you got the package-lock.json file from for example.

I deleted node_modules, ran pnpm install, set the password to empty, and checked the keys, but the issue persists.
figure out ??

@douweschulte
Copy link

douweschulte commented Feb 29, 2024

I ran into the same issue in Github Actions:

    Finished release [optimized] target(s) in 3m 16s
    Bundling annotator_0.2.2_amd64.deb (/home/runner/work/annotator/annotator/src-tauri/target/release/bundle/deb/annotator_0.2.2_amd64.deb)
    Bundling annotator_0.2.2_amd64.AppImage (/home/runner/work/annotator/annotator/src-tauri/target/release/bundle/appimage/annotator_0.2.2_amd64.AppImage)
    Bundling /home/runner/work/annotator/annotator/src-tauri/target/release/bundle/appimage/annotator_0.2.2_amd64.AppImage.tar.gz (/home/runner/work/annotator/annotator/src-tauri/target/release/bundle/appimage/annotator_0.2.2_amd64.AppImage.tar.gz)
    Finished 2 bundles at:
        /home/runner/work/annotator/annotator/src-tauri/target/release/bundle/deb/annotator_0.2.2_amd64.deb
        /home/runner/work/annotator/annotator/src-tauri/target/release/bundle/appimage/annotator_0.2.2_amd64.AppImage
        /home/runner/work/annotator/annotator/src-tauri/target/release/bundle/appimage/annotator_0.2.2_amd64.AppImage.tar.gz (updater)

       Error incorrect updater private key password: Missing comment in secret key
Error: Command failed with exit code 1: tauri build

https://github.com/snijderlab/annotator/actions/runs/8096651802/job/22125859028

Locally it works. Based on the comments above I reset my github secrets multiple times and generated new keys. This is the last of a couple of actions that failed on exactly the same reason.

I am using only the cargo-tauri-cli and the tauri-apps/tauri-action github action.

@FabianLars
Copy link
Member

@douweschulte I forked your repo, regenerated the key, and it works for me: https://github.com/FabianLars/annotator/actions/runs/8097213610/job/22128304100#step:8:516

What's the exact command you used to generate the key and what version of the tauri cli are you using?

@douweschulte
Copy link

douweschulte commented Feb 29, 2024

cargo tauri signer generate -w '$HOME/.tauri/annotator.key' with my password pasted in there with tauri-cli 1.3.1

Thanks so much for looking into it!

@douweschulte
Copy link

I updated to 1.5.10 generated a new key pair and got the same error: https://github.com/snijderlab/annotator/actions/runs/8098279095/job/22131308247.

@Hacksore
Copy link

Hacksore commented Feb 29, 2024

@douweschulte no issues on my side using dev (source) action and no password, but I see you are using v0 (source) and a password.

https://github.com/Hacksore/overlayed/blob/master/.github/workflows/release.yaml#L91-L92

Possible things to try.

  • Update tauri action
  • Don't use a password

@FabianLars
Copy link
Member

still can't reproduce it. How about a more drastic approach, can you post a private key, public key, and password combination that fails for you? (make sure it's not something you actually use in one of your apps)

@MasterKrab
Copy link
Author

MasterKrab commented Feb 29, 2024

I updated @tauri-apps/clito 1.5.10, set action to tauri-apps/[email protected] and used a password.

Same error: https://github.com/MasterKrab/Penguin-Writer/actions/runs/8100511692

then i set action to tauri-apps/tauri-action@dev.

Same error: https://github.com/MasterKrab/Penguin-Writer/actions/runs/8100607610/job/22138995188

then i set an empty password:

Same error: https://github.com/MasterKrab/Penguin-Writer/actions/runs/8100774078

Created new keys:

Same error: https://github.com/MasterKrab/Penguin-Writer/actions/runs/8100949483/job/22140028433

@Hacksore
Copy link

Hacksore commented Mar 8, 2024

So I actually do get this so adding my analysis to the issue.

I see this on people making pull requests from a fork will not allow the TAURI_PRIVATE_KEY and TAURI_PUBLIC_KEY env vars to be pulled from my repos secrets.

image

🛑 Issue = Workflow Run (PR) - This is a user creating a pull request from a forked repo.

✅ No Issue = Workflow Run (PR) - This is me creating a pull request in the same repo.

Hacksore added a commit to overlayeddev/overlayed that referenced this issue Jun 5, 2024
@Hacksore
Copy link

Hacksore commented Jun 5, 2024

So in my cause I think my issue was in my ci.yaml workflow I was exposing the signing vars there. When someone made a PR from a fork Github intentionally does not allow those vars to be exposed.

I fixed it via the following commits
overlayeddev/overlayed@969f4ea
overlayeddev/overlayed@2e67de4

Unsure if this is what @MasterKrab and others are experiencing though.

@Ziltosh
Copy link

Ziltosh commented Jun 21, 2024

I have exactly the same problem... Did you found a solution ?

Here is a private/public key generated just for testing:
private:
dW50cnVzdGVkIGNvbW1lbnQ6IHJzaWduIGVuY3J5cHRlZCBzZWNyZXQga2V5ClJXUlRZMEl5VTFzZjIxbnNCWWFLYnBrLzJhUFVDOUZEV1FKZVhrVWRSWXc2eFpRODBaSUFBQkFBQUFBQUFBQUFBQUlBQUFBQUhlc2ovS0VrbTVqRmlQVW1yMndFNWg4bHVVc01pM3E3SEpGNnVhWFhVRUxDN1pDd0hJRmU2WThycjhydkJvMjlUR0t3YThGSHdyWnFPV0F6VmlCakFObzRUYWNWMlNnWWN1WUZYS09WUlBZMUxNUVJ3QXd2V2pSaEZsVHFQM21JbXlPb0NlNmJlY2s9Cg==

public:
dW50cnVzdGVkIGNvbW1lbnQ6IG1pbmlzaWduIHB1YmxpYyBrZXk6IDZFNkIwMEE2REJDRDg2RUYKUldUdmhzM2JwZ0JyYmo5eVNYMFBQLzFTVTN2R1lkb1ZndWp1RE13c0Q3ZlV4ekxXRTRxOUUwcFoK

password: no

My repo: https://github.com/Ziltosh/trading-bot-manager

Thank you.

@Genie23
Copy link

Genie23 commented Jun 27, 2024

Hello everyone

I had the same error and tried everything:

  • put a comment to the secret key (in the value secrets.TAURI_PRIVATE_KEY I put the content of the generated .key file followed by a space and a comment)
  • regenerate the keys (I did this several times)
  • add an endpoint to the latest.json file that will be generated for each release

I hadn't seen in the previous comments "Don't set a password", so I always used one (also in Github's secret values), but I still managed to get the updater configuration to work.

All I had to do was limit the targets to those allowing the updater:

"targets": ["msi", "app", "appimage"]

And then my Github workflow worked!

As a suggestion, regarding this problem, I'd suggest excluding the updater configuration (even if it means putting a warning) from all targets that don't support it, so as to avoid any more errors of this kind.

Note also that the error message is not very explicit. I fumbled for a long time before finding the solution...

However, no binary for macOS? An app.tar.gz is generated, so do you have to compile them by hand? If so, that's promising >_<"

@FabianLars
Copy link
Member

All I had to do was limit the targets to those allowing the updater:

That honestly makes no sense to. not saying you're wrong, but i don't think this is the actual root cause. Tauri won't try to sign bundle types that don't support the updater and i also had all bundles enabled in my testing.
I'm not saying you're wrong, just that this can't be the only thing, there must be something else on top.

I also have a bit time today so i'm checking @Ziltosh examples (thank you btw!!)

@FabianLars
Copy link
Member

Sooo, i forked https://github.com/Ziltosh/trading-bot-manager from the comment above #658 (comment), copied the provided private key into a repo secret and the pubkey into tauri.conf.json and it worked fine... https://github.com/FabianLars/trading-bot-manager/actions/runs/9694702927/job/26752906291

@Ziltosh
Copy link

Ziltosh commented Jun 27, 2024

Sooo, i forked https://github.com/Ziltosh/trading-bot-manager from the comment above #658 (comment), copied the provided private key into a repo secret and the pubkey into tauri.conf.json and it worked fine... https://github.com/FabianLars/trading-bot-manager/actions/runs/9694702927/job/26752906291

Thank you for testing.
I don't understand...
Same code, same key: https://github.com/Ziltosh/trading-bot-manager/actions/runs/9696156866/job/26757480151

Always the same error.

@Ziltosh
Copy link

Ziltosh commented Jun 27, 2024

Ok, I finally found it!
I was incorrectly entering the TAURI_PRIVATE_KEY in the repository settings. You need to go to Secrets and variables > Actions, and directly click on Add repository secret.

Personally, I was adding an environment secret...

Thank you.

@Genie23
Copy link

Genie23 commented Jun 29, 2024

Yes, I had the same problem (I had defined a secret in an environment and not a secret in my repository).

That said, it wasn't enough on its own to fix the bug. What I was missing, and the error message was quite explicit, was the yarn tauri run dev command.

Declare the updater function in the Cargo.toml file:

...
[dependencies]
tauri = { version = "1", features = [ "updater", "shell-open"] }
...

After running the yarn tauri run dev command locally, it added this to my Cargo.toml and the build worked on Github.

On the other hand, I've never managed to create a Gitlab pipeline (sorry if I'm talking about the competition here, but I'm used to having my repositories on Gitlab, an old habit I picked up back in the days when you had to pay to have several private repositories on Github - that was a long time ago).

Now I generate all types of output correctly (nsis, wix, deb, AppImage, dmg, app.tar.gz) with the added bonus of a double update asset for nsis (Tauri.Base_0.0.2_x64-setup.nsis.zip and Tauri.Base_0.0.2_x64-setup.nsis.zip. sig - Tauri Base is the name of my application, I wanted a skeleton to clone for any new application -) which are however not used, unless I am mistaken (according to the documentation, the updater, for windows, only concerns installations via wix, and the latest.json file does not seem to list these nsis packages).

If anyone has an explanation, I'd love to hear it (as to why and how these two assets were created, and how to integrate them into the update process).

In the meantime, I've started to develop a website using the Phalcon framework, which will be responsible for managing all the applications using the update system (currently my site only manages the update part, but eventually I'm planning to have a showcase for downloading the installer, an administration panel to check the number of downloads, for example, or to delete applications, all activated via github webhooks).

Once I've got a viable project, I'll make its repository public (right now it's hosted on a private repository on Gitlab). And if by then a working pipeline for Gitlab is proposed, I'll try to come up with a system that works with both ;)

@FabianLars
Copy link
Member

Now I generate all types of output correctly (nsis, wix, deb, AppImage, dmg, app.tar.gz) with the added bonus of a double update asset for nsis (Tauri.Base_0.0.2_x64-setup.nsis.zip and Tauri.Base_0.0.2_x64-setup.nsis.zip. sig - Tauri Base is the name of my application, I wanted a skeleton to clone for any new application -) which are however not used, unless I am mistaken (according to the documentation, the updater, for windows, only concerns installations via wix, and the latest.json file does not seem to list these nsis packages).

The updater itself supports both wix and nsis, but only one at a time because it can't detect which one the app was installed with.
tauri-action will use the updaterJsonPreferNsis (default false) config to decide which package to use in latest.json - unless only one type was built of course, then it uses that.

@delebash
Copy link

Thanks @Ziltosh I was also setting an environmental secret. Worked great after I set a repo secret @FabianLars Maybe updating the example action with this info.

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAURI_SIGNING_PRIVATE_KEY ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} //you need to add a repo secret with your generated private key. See github docs https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository

Or something like this in the docs. TY. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants