Someone suggested I make jwzlyrics check for updates to itself, which seemed like a good idea at the time. I added Sparkle.framework to it (tripling its size), since that's what everyone seems to use. But it always fails signature verification and I'm at a loss as to how to debug that.

Here's what I know:

Copy the signature from the XML file and decode it:

echo "MEUCIGVrJehIr4+n+UEKLhdjORz/i2n2mHqD2vdoekp4qdyVAiEA3A93v+IIaPpoU0LoGkKA20V5hXwHmJd8LJ/FmSpnAnM=" | base64 -D > /tmp/a

Hash the downloaded zip file:

openssl dgst -sha1 -binary < jwzlyrics-1.7.zip > /tmp/b

The signature verifies, using the public key that is inside the .app in that .zip:

openssl dgst -dss1 -verify sparkle_dsa_pub.pem -signature /tmp/a /tmp/b
Verified OK

I've set a breakpoint on open and verified that ".../jwzlyrics.app/Contents/Resources/sparkle_dsa_pub.pem" (which exists) is being read.

I've set a breakpoint on b64decode and verified that the above base64 string is going in, and that what comes out agrees with "base64 -D".

Yet I still get a dialog saying "Update Error! The update is improperly signed."

Ideas?

(You can reproduce this by taking the .app and replacing "1.7" with "1.6" inside its Info.plist.)

Update: I figured it out! You have to generate your keys with the version of openssl in /usr/bin/, not the one in /opt/local/bin/. 0.9.8r versus 1.0.1c, in my case. Geez.