Someone suggested I make jwzlyrics check for updates to itself, which seemed like a good idea at the time. I added Sparkle.framework to it (tripling its size), since that's what everyone seems to use. But it always fails signature verification and I'm at a loss as to how to debug that.
Here's what I know:
Copy the signature from the XML file and decode it:
Hash the downloaded zip file:
openssl dgst -sha1 -binary < jwzlyrics-1.7.zip > /tmp/b
The signature verifies, using the public key that is inside the .app in that .zip:
openssl dgst -dss1 -verify sparkle_dsa_pub.pem -signature /tmp/a /tmp/b
I've set a breakpoint on open and verified that ".../jwzlyrics.app/
I've set a breakpoint on b64decode and verified that the above base64 string is going in, and that what comes out agrees with "base64 -D".
Yet I still get a dialog saying "Update Error! The update is improperly signed."
(You can reproduce this by taking the .app and replacing "1.7" with "1.6" inside its Info.plist.)
Update: I figured it out! You have to generate your keys with the version of openssl in /usr/bin/, not the one in /opt/local/bin/. 0.9.8r versus 1.0.1c, in my case. Geez.