starred/SignTools
1
0
Fork 0
mirror of https://github.com/SignTools/SignTools.git synced 2026-04-27 19:05:49 +03:00
Code Issues 20 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #244] Github SignTools-CI error in signing process. #77

New issue
Closed
opened 2026-03-04 00:23:41 +03:00 by kerem · 6 comments
kerem commented 2026-03-04 00:23:41 +03:00
Owner
Copy link

Originally created by @GioBar00 on GitHub (Sep 2, 2022).
Original GitHub issue: https://github.com/SignTools/SignTools/issues/244

I tried basic troubleshooting first

Bug description

An error "connect ETIMEDOUT 152.X.X.X:443" (X for privacy) occurs during the signing process of the GitHub action.
I'm using a docker container of SignTools and a nginx reverse proxy to expose the container on a custom subdomain (https://sign.example.com).
I'm able to access the web server to upload and rename the IPAs.
Since I also have other web servers on this machine the proxy to the container is only accessible through the domain.
Trying to access the web server directly via the IP address will not work and the server will not respond.
The server_url on my signer-cfg.yml if correct (https://sign.example.com).
Is it possible that ./sign.py tries to access the web server directly via the IP address?

Logs

SignTools-CI GitHub action:

sudo xcode-select -s /Applications/Xcode_13.2.1.app
./sign.py
shell: /bin/bash -e {0}
env:
SECRET_URL: ***
SECRET_KEY: ***

connect ETIMEDOUT 152.X.X.X:443
Initializing dependencies...
Traceback (most recent call last):
File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 42, in run_process
Downloading job files...
result = subprocess.run(cmd, capture_output=capture, check=check, env=env, cwd=cwd, timeout=timeout)
File "/usr/local/Cellar/python@3.10/3.10.6_1/Frameworks/Python.framework/Versions/3.10/lib/python3.10/subprocess.py", line 524, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('node', 'node-utils/download.js', '/jobs', '', 'job.tar')' returned non-zero exit status 3.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 1155, in
node_download(secret_url + "/jobs", job_archive, capture=False)
File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 131, in node_download
return run_process(
File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 44, in run_process
raise (
Exception: {'stdout': '', 'stderr': ''}
Error: Process completed with exit code 1.

System configuration

  • SignTools version: Docker latest
  • Installation type: docker, nginx
  • Builder type: SignTools-CI,
  • Builder version: SignTools-CI 4550595
Originally created by @GioBar00 on GitHub (Sep 2, 2022). Original GitHub issue: https://github.com/SignTools/SignTools/issues/244 **I tried basic troubleshooting first** - [x] Updated **both** [SignTools](https://github.com/SignTools/SignTools) **and** the builder ([SignTools-CI](https://github.com/SignTools/SignTools-CI) or [SignTools-Builder](https://github.com/SignTools/SignTools-Builder)) to the latest version - [X] Read through the [FAQ page](https://github.com/SignTools/SignTools/blob/master/FAQ.md) **Bug description** An error "connect ETIMEDOUT 152.X.X.X:443" (X for privacy) occurs during the signing process of the GitHub action. I'm using a docker container of SignTools and a nginx reverse proxy to expose the container on a custom subdomain (https://sign.example.com). I'm able to access the web server to upload and rename the IPAs. Since I also have other web servers on this machine the proxy to the container is only accessible through the domain. Trying to access the web server directly via the IP address will not work and the server will not respond. The `server_url` on my signer-cfg.yml if correct (https://sign.example.com). Is it possible that `./sign.py` tries to access the web server directly via the IP address? **Logs** SignTools-CI GitHub action: > sudo xcode-select -s /Applications/Xcode_13.2.1.app > ./sign.py > shell: /bin/bash -e {0} > env: > SECRET_URL: *** > SECRET_KEY: *** > > connect ETIMEDOUT 152.X.X.X:443 > Initializing dependencies... > Traceback (most recent call last): > File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 42, in run_process > Downloading job files... > result = subprocess.run(cmd, capture_output=capture, check=check, env=env, cwd=cwd, timeout=timeout) > File "/usr/local/Cellar/python@3.10/3.10.6_1/Frameworks/Python.framework/Versions/3.10/lib/python3.10/subprocess.py", line 524, in run > raise CalledProcessError(retcode, process.args, > subprocess.CalledProcessError: Command '('node', 'node-utils/download.js', '***/jobs', '***', 'job.tar')' returned non-zero exit status 3. > > The above exception was the direct cause of the following exception: > > Traceback (most recent call last): > File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 1155, in <module> > node_download(secret_url + "/jobs", job_archive, capture=False) > File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 131, in node_download > return run_process( > File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 44, in run_process > raise ( > Exception: {'stdout': '', 'stderr': ''} > Error: Process completed with exit code 1. **System configuration** - SignTools version: Docker latest - Installation type: docker, nginx - Builder type: SignTools-CI, - Builder version: SignTools-CI **4550595**
kerem 2026-03-04 00:23:41 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-03-04 00:23:42 +03:00
Author
Owner
Copy link

@ViRb3 commented on GitHub (Sep 2, 2022):

The builder will use whatever you give under server_url in the config. It will not try to use a raw IP address unless that's what you've given it. To me this looks like a connection issue with your setup. Did you try to ping your domain and see if it resolves to the same IP as the one you see in the logs? Do you see the request incoming on your server at all? Maybe a firewall, router, or ISP blocks the request. You can try something like https://portchecker.co/ to see if the port is reachable from the internet at all.

<!-- gh-comment-id:1235729649 --> @ViRb3 commented on GitHub (Sep 2, 2022): The builder will use whatever you give under `server_url` in the config. It will not try to use a raw IP address unless that's what you've given it. To me this looks like a connection issue with your setup. Did you try to ping your domain and see if it resolves to the same IP as the one you see in the logs? Do you see the request incoming on your server at all? Maybe a firewall, router, or ISP blocks the request. You can try something like https://portchecker.co/ to see if the port is reachable from the internet at all.
kerem commented 2026-03-04 00:23:42 +03:00
Author
Owner
Copy link

@GioBar00 commented on GitHub (Sep 2, 2022):

The ping is blocked, it is for sure accessible from the internet since I access the url from my home network and the server is hosted. Also tried with the site you linked and port 443 is open. I can access the site also from my phone on cellular network.

<!-- gh-comment-id:1235740382 --> @GioBar00 commented on GitHub (Sep 2, 2022): The ping is blocked, it is for sure accessible from the internet since I access the url from my home network and the server is hosted. Also tried with the site you linked and port 443 is open. I can access the site also from my phone on cellular network.
kerem commented 2026-03-04 00:23:42 +03:00
Author
Owner
Copy link

@GioBar00 commented on GitHub (Sep 2, 2022):

There is no authentication for now, it is fully accessible on port 443. The certificate is valid and all http traffic is redirected to https preserving the request uri.

<!-- gh-comment-id:1235741663 --> @GioBar00 commented on GitHub (Sep 2, 2022): There is no authentication for now, it is fully accessible on port 443. The certificate is valid and all http traffic is redirected to https preserving the request uri.
kerem commented 2026-03-04 00:23:43 +03:00
Author
Owner
Copy link

@ViRb3 commented on GitHub (Sep 2, 2022):

Hm, maybe GitHub's builder cannot reach your server for whatever reason? Try to modify https://github.com/SignTools/SignTools-CI/blob/master/.github/workflows/sign.yml in your own fork and add a simple curl https://152.x.x.x:443, see what it returns when you try to sign next time.

<!-- gh-comment-id:1235741669 --> @ViRb3 commented on GitHub (Sep 2, 2022): Hm, maybe GitHub's builder cannot reach your server for whatever reason? Try to modify https://github.com/SignTools/SignTools-CI/blob/master/.github/workflows/sign.yml **in your own fork** and add a simple `curl https://152.x.x.x:443`, see what it returns when you try to sign next time.
kerem commented 2026-03-04 00:23:43 +03:00
Author
Owner
Copy link

@GioBar00 commented on GitHub (Sep 2, 2022):

curl -m 30 https://152.x.x.x:443 runs out of time since the site is not accessible directly via the IP address. But I don't know why also curl -m 30 https://sign.example.com:443 doesn't work... (on the logs is written curl -m 30 ***:443)

<!-- gh-comment-id:1235750153 --> @GioBar00 commented on GitHub (Sep 2, 2022): `curl -m 30 https://152.x.x.x:443` runs out of time since the site is not accessible directly via the IP address. But I don't know why also `curl -m 30 https://sign.example.com:443` doesn't work... (on the logs is written `curl -m 30 ***:443`)
kerem commented 2026-03-04 00:23:43 +03:00
Author
Owner
Copy link

@ViRb3 commented on GitHub (Sep 2, 2022):

Assuming that you're blocking direct IP access via a reverse proxy like nginx, it won't silently drop the connection, you would get an error in curl. A time out means that it physically cannot reach the server at all, i.e. a firewall is silently dropping the connection. This explains why both your direct IP and hostname result in the same. This is definitely a networking issue that is out of scope for SignTools. Feel free to reply here if you find out the cause though, or ask on Discord if somebody else has experienced a similar thing.

<!-- gh-comment-id:1235752626 --> @ViRb3 commented on GitHub (Sep 2, 2022): Assuming that you're blocking direct IP access via a reverse proxy like nginx, it won't silently drop the connection, you would get an error in curl. A time out means that it physically cannot reach the server at all, i.e. a firewall is silently dropping the connection. This explains why both your direct IP and hostname result in the same. This is definitely a networking issue that is out of scope for SignTools. Feel free to reply here if you find out the cause though, or ask on Discord if somebody else has experienced a similar thing.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/npm_and_yarn/prettier-3.8.2
dependabot/docker/golang-1.26.2-alpine
dependabot/github_actions/docker/build-push-action-7.1.0
dependabot/go_modules/golang.org/x/crypto-0.50.0
dependabot/github_actions/docker/login-action-4.1.0
dependabot/github_actions/actions/setup-go-6.4.0
dependabot/go_modules/github.com/rs/zerolog-1.35.0
dependabot/go_modules/golang.org/x/oauth2-0.36.0
dependabot/github_actions/docker/metadata-action-6.0.0
dependabot/github_actions/docker/setup-buildx-action-4.0.0
dependabot/github_actions/docker/setup-qemu-action-4.0.0
dependabot/go_modules/github.com/labstack/echo/v4-4.15.1
dependabot/github_actions/goreleaser/goreleaser-action-7.0.0
dependabot/docker/alpine-3.23.3
dependabot/github_actions/actions/checkout-6.0.2
develop
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.6.2
v2.6.1
v2.6.0
v2.5.21
v2.5.20
v2.5.19
v2.5.18
v2.5.17
v2.5.16
v2.5.15
v2.5.14
v2.5.13
v2.5.12
v2.5.11
v2.5.10
v2.5.9
v2.5.8
v2.5.7
v2.5.6
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.18
v2.4.17
v2.4.16
v2.4.15
v2.4.14
v2.4.13
v2.4.12
v2.4.11
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.6
v2.4.5
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.15
v2.3.14
v2.3.13
v2.3.12
v2.3.11
v2.3.10
v2.3.9
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.6.0
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.0
v1.1.0
v1.0.1
v1.0.0
Labels
Clear labels   
bug

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
enhancement
enhancement
good first issue
help wanted
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/SignTools#77
No description provided.