fix: make Sparkle signature verification robust in release script

Prot10 · Prot10 · commit d78f5d70005e · 2026-01-25T00:19:40.000+01:00
The previous verification logic had multiple issues:
- sleep 3 was too short for GitHub to process uploads
- No verification that downloaded file was actually a ZIP
- sed replacement could fail silently
- Only re-signed if SHAs differed (race condition)

New approach:
- Wait 10s + retry loop with exponential backoff (up to 5 attempts)
- Verify downloaded file is a valid ZIP archive
- ALWAYS re-sign with the actual GitHub file (not conditional)
- Use Python for reliable XML replacement
- Verify appcast.xml was actually updated before continuing
- Exit with error if any step fails

This ensures Sparkle signatures always match what users download.
diff --git a/scripts/release.sh b/scripts/release.sh
@@ -435,38 +435,101 @@ gh release create "v${VERSION}" \
 
 echo -e "${GREEN}GitHub release created${NC}"
 
-# CRITICAL: Verify uploaded ZIP and re-sign if needed
-echo "Verifying uploaded ZIP..."
-sleep 3  # Give GitHub time to process
+# CRITICAL: Verify uploaded ZIP and re-sign with the ACTUAL GitHub file
+# This ensures Sparkle signature always matches what users download
+echo "Waiting for GitHub to process upload..."
+sleep 10  # Give GitHub more time to process
+
+GITHUB_ZIP_URL="https://github.com/${REPO}/releases/download/v${VERSION}/${APP_NAME}-v${VERSION}.zip"
+GITHUB_ZIP_PATH="/tmp/github-uploaded-${VERSION}.zip"
+
+# Download with retries and verification
+MAX_RETRIES=5
+RETRY_DELAY=5
+for i in $(seq 1 $MAX_RETRIES); do
+    echo "Downloading GitHub ZIP (attempt $i/$MAX_RETRIES)..."
+    curl -L -s -o "$GITHUB_ZIP_PATH" "$GITHUB_ZIP_URL"
+
+    # Verify it's actually a ZIP file (not HTML error page)
+    if file "$GITHUB_ZIP_PATH" | grep -q "Zip archive"; then
+        echo -e "${GREEN}Downloaded valid ZIP file${NC}"
+        break
+    else
+        echo -e "${YELLOW}Download failed or not a ZIP file, retrying in ${RETRY_DELAY}s...${NC}"
+        rm -f "$GITHUB_ZIP_PATH"
+        sleep $RETRY_DELAY
+        RETRY_DELAY=$((RETRY_DELAY * 2))
+    fi
+
+    if [ $i -eq $MAX_RETRIES ]; then
+        echo -e "${RED}ERROR: Failed to download valid ZIP from GitHub after $MAX_RETRIES attempts${NC}"
+        echo "Please verify manually and update appcast.xml"
+        exit 1
+    fi
+done
+
+# ALWAYS re-sign with the actual GitHub file to ensure signature matches
+# This is the ONLY way to guarantee the signature is correct
+echo "Signing the actual GitHub ZIP file..."
+GITHUB_FILE_SIZE=$(stat -f%z "$GITHUB_ZIP_PATH")
+
+echo "$SPARKLE_PRIVATE_KEY" > /tmp/sparkle_key_verify
+GITHUB_SIGNATURE_OUTPUT=$("$SPARKLE_SIGN" --ed-key-file /tmp/sparkle_key_verify "$GITHUB_ZIP_PATH")
+rm -f /tmp/sparkle_key_verify
+
+GITHUB_ED_SIGNATURE=$(echo "$GITHUB_SIGNATURE_OUTPUT" | grep -o 'sparkle:edSignature="[^"]*"' | cut -d'"' -f2)
+
+if [ -z "$GITHUB_ED_SIGNATURE" ]; then
+    echo -e "${RED}ERROR: Failed to generate signature for GitHub ZIP${NC}"
+    exit 1
+fi
+
+echo "GitHub ZIP size: $GITHUB_FILE_SIZE bytes"
+echo "GitHub ZIP signature: ${GITHUB_ED_SIGNATURE:0:30}..."
+
+# Update appcast.xml with the CORRECT signature for the GitHub file
+# Use Python for reliable XML-safe replacement
+python3 << PYEOF
+import re
+
+version = "${VERSION}"
+new_signature = "${GITHUB_ED_SIGNATURE}"
+new_size = "${GITHUB_FILE_SIZE}"
 
-curl -L -s -o "/tmp/github-uploaded-${VERSION}.zip" \
-    "https://github.com/${REPO}/releases/download/v${VERSION}/${APP_NAME}-v${VERSION}.zip"
+with open('appcast.xml', 'r') as f:
+    content = f.read()
 
-LOCAL_SHA=$(shasum -a 256 "build/${APP_NAME}-v${VERSION}.zip" | cut -d' ' -f1)
-GITHUB_SHA=$(shasum -a 256 "/tmp/github-uploaded-${VERSION}.zip" | cut -d' ' -f1)
+# Find and update the enclosure for this version
+# Match the enclosure line for this specific version
+pattern = r'(download/v' + re.escape(version) + r'/[^"]+\.zip"\s+sparkle:edSignature=")[^"]*("\s+length=")[^"]*(")'
+replacement = r'\g<1>' + new_signature + r'\g<2>' + new_size + r'\g<3>'
 
-if [ "$LOCAL_SHA" != "$GITHUB_SHA" ]; then
-    echo -e "${YELLOW}Warning: GitHub ZIP differs from local! Re-signing with GitHub version...${NC}"
+new_content, count = re.subn(pattern, replacement, content)
 
-    # Re-sign the GitHub version
-    echo "$SPARKLE_PRIVATE_KEY" > /tmp/sparkle_key_verify
-    GITHUB_SIGNATURE_OUTPUT=$("$SPARKLE_SIGN" --ed-key-file /tmp/sparkle_key_verify "/tmp/github-uploaded-${VERSION}.zip")
-    rm -f /tmp/sparkle_key_verify
+if count == 0:
+    print(f"ERROR: Could not find enclosure for version {version} in appcast.xml")
+    exit(1)
 
-    GITHUB_ED_SIGNATURE=$(echo "$GITHUB_SIGNATURE_OUTPUT" | grep -o 'sparkle:edSignature="[^"]*"' | cut -d'"' -f2)
-    GITHUB_FILE_SIZE=$(stat -f%z "/tmp/github-uploaded-${VERSION}.zip")
+with open('appcast.xml', 'w') as f:
+    f.write(new_content)
 
-    # Update appcast.xml with correct signature
-    sed -i '' "s|sparkle:edSignature=\"${ED_SIGNATURE}\"|sparkle:edSignature=\"${GITHUB_ED_SIGNATURE}\"|g" appcast.xml
-    sed -i '' "s|length=\"${FILE_SIZE}\"|length=\"${GITHUB_FILE_SIZE}\"|g" appcast.xml
+print(f"Updated appcast.xml: signature and length for v{version}")
+PYEOF
 
-    ED_SIGNATURE="$GITHUB_ED_SIGNATURE"
-    FILE_SIZE="$GITHUB_FILE_SIZE"
+# Verify the update was successful
+if ! grep -q "sparkle:edSignature=\"${GITHUB_ED_SIGNATURE}\"" appcast.xml; then
+    echo -e "${RED}ERROR: Failed to update appcast.xml with new signature${NC}"
+    exit 1
+fi
 
-    echo -e "${GREEN}Appcast updated with correct GitHub signature${NC}"
+if ! grep -q "length=\"${GITHUB_FILE_SIZE}\"" appcast.xml; then
+    echo -e "${RED}ERROR: Failed to update appcast.xml with new file size${NC}"
+    exit 1
 fi
 
-rm -f "/tmp/github-uploaded-${VERSION}.zip"
+echo -e "${GREEN}Appcast verified: signature and size match GitHub ZIP${NC}"
+
+rm -f "$GITHUB_ZIP_PATH"
 
 # Git commit and push
 git add -A
