Granted, that’s hardly the best error message in the world, but:
jb@syno:~/s/g/s/syncthing $ stsigtool
Usage:
stsigtool <command>
Where command is one of:
...
sign <privkeyfile> [datafile]
- sign a file
...
You should give it the private key followed by the binary to sign, i.e. the opposite of what you’re doing there. The unfortunate error that you see comes from failing to parse the first parameter as a private key file.
You also don’t need to create a signature unless you intend to distribute the binary using the automatic upgrade system. The automatic upgrade system is the only consumer of these signatures; not, for example, Windows itself that has another way of signing binaries.
It ran but didnt give a sig file and yes im wanting to run it on my own update server as makeing some changes to make it easyer for some of the people in the network to use/setup
What you actually need to do, now that I think more about it (we changed this in 0.13) is pipe the archive file name and binary through stsigtool as above, and save it as .metadata/release.sig in the release archive. See this line in the release tools script that does this for the exact procedure:
There is also a syncthing.sig which is the same without the archive file name being part of the signature. This is consumed by v0.12.earlier releases.
Compare what you do with what you can see in one of the official release packages on GitHub.
That script is what does the signing I do on every release. We should update the docs.
Yep, that’s as expected. stsigtool has the official key embedded and will use that unless given another key on the command line.
Once you’ve created a package archive, you can test it by uploading it to wherever and running syncthing -upgrade-to https://url-to-the-package, as syncthing will go through the whole upgrade and verification process there. Note then that
The package must be signed with the above highlighted archive name + binary contents method
The syncthing you’re upgrading from must be compiled with the public key that you used to sign the package
The archive must actually be called what was included in the signature
Sorry, I don’t know. Perhaps you can create a temporary file containing first the filename, a newline (UNIX newline even, not Windows), then the contents of the syncthing.exe, then sign that.
If you’re a programmer of any kind it may even be easiest to automate this with anything from Go via C# to Visual Basic…