[bug] tauri V2 updater InvalidSignature

[heiyehk]

Describe the bug

When I use the updater function, it has triggered the check. Then I use update.downloadAndInstall and the download completes, but the error Uncaught (in promise) InvalidSignature is returned.
I first used the release address of github, and then I used a separate https domain name to test, but the same error was reported.

Reproduction

No response

Expected behavior

No response

Full tauri info output

[✔] Environment
    - OS: Windows 10.0.22631 X64
    ✔ WebView2: 123.0.2420.97
    ✔ MSVC: Visual Studio Enterprise 2022
    ✔ rustc: 1.76.0 (07dca489a 2024-02-04)
    ✔ cargo: 1.76.0 (c84b36747 2024-01-18)
    ✔ rustup: 1.27.0 (bbb9276d2 2024-03-08)
    ✔ Rust toolchain: stable-x86_64-pc-windows-msvc (default)
    - node: 20.9.0
    - pnpm: 8.15.4
    - yarn: 1.22.22
    - npm: 10.1.0

[-] Packages
    - tauri [RUST]: 2.0.0-beta.16
    - tauri-build [RUST]: 2.0.0-beta.13
    - wry [RUST]: 0.39.2
    - tao [RUST]: 0.27.1
    - @tauri-apps/api [NPM]: 2.0.0-beta.6
    - @tauri-apps/cli [NPM]: 2.0.0-beta.10

[-] App
    - build-type: bundle
    - CSP: default-src 'self' customprotocol: asset:; style-src 'unsafe-inline' 'self' 'nonce-10500982406343687894' 'nonce-9786197052427597798'; connect-src ipc: http://ipc.localhost ws:; script-src 'self' 'unsafe-eval' 'sha256-f2aYrerT20WDJlPe3kdN3JfQlyKoRxP33xkWfDbeO9I=' 'sha256-GFebPxKzs1UkFRCbyMaykyYD7rGVWnt1zk1m6r+ZTWQ=' 'sha256-iUqSk0LHeoYfdwsQNbveDMYkU7Tq/OmyauSlE3snBuc='; font-src https://fonts.gstatic.com http://tauri.localhost; img-src 'self' blob: data: http: https: asset: http://asset.localhost
    - frontendDist: ../dist
    - devUrl: http://localhost:1420/
    - framework: Vue.js
    - bundler: Vite

Stack trace

No response

Additional context

No response

[FabianLars]

Can you double check whether the private key you used to sign the updater bundle (that generated the .sig file) belongs to the pubkey defined in tauri.conf.json? And also check whether the "signature" field in the server json is the full content of the .sig file that belongs to the updater bundle your server hosts (the .sig file changes every time you re-build your app!)

[heiyehk]

Can you double check whether the private key you used to sign the updater bundle (that generated the .sig file) belongs to the pubkey defined in tauri.conf.json? And also check whether the "signature" field in the server json is the full content of the .sig file that belongs to the updater bundle your server hosts (the .sig file changes every time you re-build your app!)

I found this problem, I configured it in tauri.config.json

        "wix": {
          "language": [
            "zh-CN",
            "en-US"
          ]
        }

Then the signature of the generated latest.json is zh-CN, but the updated package is en-US. And there is only one language update package in latest.json, and signature does not correspond to it. How should I deal with this?