Issues with the upload of a new release via REST API to the appstore

I have the problem that I want to implement a CI/CD using Github Actions to publish to the official app store. So far I managed to get all relevant information together and try to push the release out using a curl-invoked API request.

I get the message that the release could not be published (here is an example CI run, look close to the bottom):

["Signature is invalid: [('rsa routines', 'int_rsa_verify', 'wrong signature length')]"]

I kept strict to the routines depicted in the docs. I think the length is correct as I compared it with other signatures from older app releases.

Can anyone point me in the right direction to solve the issue, please? I am a bit stuck as I have no more idea where the issue is.

the same procedure works if you try it locally, I guess? have you tried that?

I do not have the access rights to do it. The main maintainer did not find a way to add me as a co-maintainer so I technically have no saying in the appstore. He posted this message to give me the access.

In fact, he has stored his appstore token as a secret in the repository. I am not willing to hack my way there to get the secret.

hmm. then there is a lot else that could go wrong. I also saw someone else recently report an issue with the private key in a env variable. This could be related: https://github.com/ChristophWurst/krankerl/issues/820

OK, thank you so far. As soon as the other question regarding the adding of co-maintainers from above is answered and I am allowed to publish on my own behalf, I can test the signature in the web UI. That should give a clue if the issue is related to the CURL invocation I used or the creation of the signature.

The alternative would be to use the krankerl rust toolset by you. I am completely new to rust, so is there any documentation what is needed in order to set it up?

Iā€™m not sure either how co-authors work. I think that just regulates who is allowed to push the signed release. But for the signature you will need access to the secret private key.

You can use the tool but I would advice to use the documented standard procedure first. That procedure will work if everything is right. Once you got this confirmed you can experiment with the tool.

For now, I would not need the key but the right to upload a signed release would suffice to test if the CI-generated signature is valid.

The problem @jzapp has is that he does not find a setting in the appstore where he can promote the co-maintainers. Or are we here in the wrong place to ask and better ask elsewhere (where would be better)? Ask directly via issue on the appstore repo?

I forwarded How to add a co-maintainer to an app? to the app store admins.

1 Like

Hello and thank you for your support. I managed to get the CI running. The secret was a dated key instead of the current one. After replacing the private key it worked directly. Thanks anyways.

1 Like

Well that explains it :slight_smile: