[GH-ISSUE #410] OTA Manifest error when on https #102

New issue

Closed

opened 2026-03-04 00:23:54 +03:00 by kerem · 6 comments

kerem commented 2026-03-04 00:23:54 +03:00

Owner

Copy link

Originally created by @8mbe on GitHub (Mar 21, 2024).
Original GitHub issue: https://github.com/SignTools/SignTools/issues/410

I tried basic troubleshooting first

• Updated both SignTools and the builder (SignTools-CI or SignTools-Builder) to the latest version
• Read through the FAQ page

Describe the bug

When trying to install an app from the signtools (hosted locally and exposed through reverse proxy Nginx Proxy Manager) I get using OTA manifest proxy, installation may not work. The url that I access my instance of signtools is https://sign.xxx.com (where xxx is my domain name), but it reports that it sets base_url to http://sign.xxx.com (WRN using OTA manifest proxy, installation may not work base_url=http://sign.xxx.com)

To reproduce

Steps to reproduce the behavior:

1. Go to the self hosted instance of signtools
2. Upload the app and wait for it to be signed
3. Install the app

Expected behavior

A Do you want to install this app? prompt appears and app installs

Logs

• In logs, url is replaced with sign.xxx.com and ips are replaced with xxx.xxx.xxx.xxx for my own safety
  _signtools_logs.txt

Screenshots

None.

System configuration

• SignTools version: [e.g. 3.0.0] v3.0.2
• Installation type: [cloud server, personal computer; nginx, ngrok, cloudflared] Personal Computer, Nginx Proxy Manager
• Operating System: [macOS, Linux, Windows] Linux, Debian 11 (signtools is running in docker container using signtools/signtools)
• Builder type: [SignTools-CI, SignTools-Builder] SignTools-CI
• Builder version: [e.g. 1.0.0 for SignTools-Builder; the latest commit hash of your repo for SignTools-CI, e.g. 03e0ed9] 13250eb

Originally created by @8mbe on GitHub (Mar 21, 2024). Original GitHub issue: https://github.com/SignTools/SignTools/issues/410 **I tried basic troubleshooting first** - [x] Updated **both** [SignTools](https://github.com/SignTools/SignTools) **and** the builder ([SignTools-CI](https://github.com/SignTools/SignTools-CI) or [SignTools-Builder](https://github.com/SignTools/SignTools-Builder)) to the latest version - [x] Read through the [FAQ page](https://github.com/SignTools/SignTools/blob/master/FAQ.md) **Describe the bug** When trying to install an app from the signtools (hosted locally and exposed through reverse proxy Nginx Proxy Manager) I get `using OTA manifest proxy, installation may not work`. The url that I access my instance of signtools is `https://sign.xxx.com` (where xxx is my domain name), but it reports that it sets `base_url` to `http://sign.xxx.com` (`WRN using OTA manifest proxy, installation may not work base_url=http://sign.xxx.com`) **To reproduce** Steps to reproduce the behavior: 1. Go to the self hosted instance of signtools 2. Upload the app and wait for it to be signed 3. Install the app **Expected behavior** A `Do you want to install this app?` prompt appears and app installs **Logs** * In logs, url is replaced with `sign.xxx.com` and ips are replaced with `xxx.xxx.xxx.xxx` for my own safety [_signtools_logs.txt](https://github.com/SignTools/SignTools/files/14686582/_signtools_logs.txt) **Screenshots** None. **System configuration** - SignTools version: [e.g. 3.0.0] v3.0.2 - Installation type: [cloud server, personal computer; nginx, ngrok, cloudflared] Personal Computer, Nginx Proxy Manager - Operating System: [macOS, Linux, Windows] Linux, Debian 11 (signtools is running in docker container using `signtools/signtools`) - Builder type: [SignTools-CI, SignTools-Builder] SignTools-CI - Builder version: [e.g. 1.0.0 for SignTools-Builder; the latest commit hash of your repo for SignTools-CI, e.g. 03e0ed9] 13250eb

kerem 2026-03-04 00:23:54 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-04 00:23:55 +03:00

Author

Owner

Copy link

@ViRb3 commented on GitHub (Mar 21, 2024):

You need to pass the X-Forwarded-Proto: https header from your reverse proxy to SignTools, see https://github.com/SignTools/SignTools/blob/master/INSTALL.md#4a-reverse-proxy.

<!-- gh-comment-id:2013326146 --> @ViRb3 commented on GitHub (Mar 21, 2024): You need to pass the `X-Forwarded-Proto: https` header from your reverse proxy to SignTools, see https://github.com/SignTools/SignTools/blob/master/INSTALL.md#4a-reverse-proxy.

kerem commented 2026-03-04 00:23:55 +03:00

Author

Owner

Copy link

@8mbe commented on GitHub (Mar 21, 2024):

You need to pass the X-Forwarded-Proto: https header from your reverse proxy to SignTools, see https://github.com/SignTools/SignTools/blob/master/INSTALL.md#4a-reverse-proxy.

It is already done by NPM (Nginx Proxy Manager), so it doesn't seem to be the problem. Any other solution?

<!-- gh-comment-id:2013378180 --> @8mbe commented on GitHub (Mar 21, 2024): > You need to pass the `X-Forwarded-Proto: https` header from your reverse proxy to SignTools, see https://github.com/SignTools/SignTools/blob/master/INSTALL.md#4a-reverse-proxy. It is already done by NPM (Nginx Proxy Manager), so it doesn't seem to be the problem. Any other solution? 

kerem commented 2026-03-04 00:23:55 +03:00

Author

Owner

Copy link

@ViRb3 commented on GitHub (Mar 21, 2024):

I can think of a few potential issues:

• $scheme is not https; maybe try hardcoding https instead of $scheme just to test?
• is there something else in front of SignTools?
• is there something in front of nginx?
• what's in proxy.conf? maybe it's overriding something?

<!-- gh-comment-id:2013391108 --> @ViRb3 commented on GitHub (Mar 21, 2024): I can think of a few potential issues: - `$scheme` is not https; maybe try hardcoding `https` instead of `$scheme` just to test? - is there something else in front of SignTools? - is there something in front of nginx? - what's in `proxy.conf`? maybe it's overriding something?

kerem commented 2026-03-04 00:23:55 +03:00

Author

Owner

Copy link

@8mbe commented on GitHub (Mar 21, 2024):

* `$scheme` is not https; maybe try hardcoding `https` instead of `$scheme` just to test?

Looks like when I set it to https, I can't access signtools at all. Also, when I set Automatically redirect to https in config,
I start receiving SSL received a record that exceeded the maximum permissible length. when visiting signtools directly (through local ip and port). Possibly this is the issue with https scheme.

<!-- gh-comment-id:2013487176 --> @8mbe commented on GitHub (Mar 21, 2024): > * `$scheme` is not https; maybe try hardcoding `https` instead of `$scheme` just to test? Looks like when I set it to `https`, I can't access signtools at all. Also, when I set `Automatically redirect to https` in config, I start receiving `SSL received a record that exceeded the maximum permissible length.` when visiting signtools directly (through local ip and port). Possibly this is the issue with `https` scheme.

kerem commented 2026-03-04 00:23:55 +03:00

Author

Owner

Copy link

@ViRb3 commented on GitHub (Mar 21, 2024):

The X-Forwarded-Proto is only used by SignTools for manifest creation and Automatically redirect to https, if enabled. If SignTools doesn't work at all, you probably have something else in the middle that breaks. I imagine the second error you get is due to infinite redirection if SignTools never sees https in the X-Forwarded-Proto header. Either way, seems like a problem with your setup, and not SignTools.

<!-- gh-comment-id:2013564223 --> @ViRb3 commented on GitHub (Mar 21, 2024): The `X-Forwarded-Proto` is only used by SignTools for manifest creation and `Automatically redirect to https`, if enabled. If SignTools doesn't work at all, you probably have something else in the middle that breaks. I imagine the second error you get is due to infinite redirection if SignTools never sees `https` in the `X-Forwarded-Proto` header. Either way, seems like a problem with your setup, and not SignTools.

kerem commented 2026-03-04 00:23:55 +03:00

Author

Owner

Copy link

@ViRb3 commented on GitHub (Apr 25, 2024):

Closing due to inactivity. Hope you got it sorted.

<!-- gh-comment-id:2077989155 --> @ViRb3 commented on GitHub (Apr 25, 2024): Closing due to inactivity. Hope you got it sorted.

kerem referenced this issue 2026-03-04 00:24:32 +03:00

[PR #102] [CLOSED] fix(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #179

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/npm_and_yarn/prettier-3.8.2

dependabot/docker/golang-1.26.2-alpine

dependabot/github_actions/docker/build-push-action-7.1.0

dependabot/go_modules/golang.org/x/crypto-0.50.0

dependabot/github_actions/docker/login-action-4.1.0

dependabot/github_actions/actions/setup-go-6.4.0

dependabot/go_modules/github.com/rs/zerolog-1.35.0

dependabot/go_modules/golang.org/x/oauth2-0.36.0

dependabot/github_actions/docker/metadata-action-6.0.0

dependabot/github_actions/docker/setup-buildx-action-4.0.0

dependabot/github_actions/docker/setup-qemu-action-4.0.0

dependabot/go_modules/github.com/labstack/echo/v4-4.15.1

dependabot/github_actions/goreleaser/goreleaser-action-7.0.0

dependabot/docker/alpine-3.23.3

dependabot/github_actions/actions/checkout-6.0.2

develop

v3.0.11

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.6.2

v2.6.1

v2.6.0

v2.5.21

v2.5.20

v2.5.19

v2.5.18

v2.5.17

v2.5.16

v2.5.15

v2.5.14

v2.5.13

v2.5.12

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.18

v2.4.17

v2.4.16

v2.4.15

v2.4.14

v2.4.13

v2.4.12

v2.4.11

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.15

v2.3.14

v2.3.13

v2.3.12

v2.3.11

v2.3.10

v2.3.9

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.1

v1.0.0

Labels

Clear labels   

bug

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

bug

enhancement

enhancement

good first issue

help wanted

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/SignTools#102

No description provided.