NAppUpdate icon indicating copy to clipboard operation
NAppUpdate copied to clipboard

Published 20 hours ago verified publisher icon synhershko

Sign Feed

Open vbjay opened this issue 8 years ago • 5 comments

Have the updater check signature of signed feeds. Use a key pair to sign file. Give the public key to apps They can verify they are getting a valid and trusted feed.

vbjay avatar Jan 22 '17 18:01 vbjay

We will not use a signature file, you can provide a SHA of the feed to be validated against - that would be a nice feature. Pull requests welcome :)

synhershko avatar Jan 22 '17 19:01 synhershko

No signature file. I meant the signature would be part of the feed. The feed builder could generate RSA keys and let the user export the public key. The app could use the public key to verify feed signature to know it was published by allowed publisher.

On Sun, Jan 22, 2017, 2:08 PM Itamar Syn-Hershko [email protected] wrote:

We will not use a signature file, you can provide a SHA of the feed to be validated against - that would be a nice feature. Pull requests welcome :)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/synhershko/NAppUpdate/issues/93#issuecomment-274351498, or mute the thread https://github.com/notifications/unsubscribe-auth/ADdhse9X9Xl38i0vv04pnrH-wPnYc6o4ks5rU6ktgaJpZM4Lqdrg .

vbjay avatar Jan 23 '17 01:01 vbjay

This is a good security feature to prevent spread of malicious updates if the update source is compromised since the attacker won't be able to publish updates if he does not have the private key.

Method 1

  • Include a signature of the feed file inside the feed file that is validated by the client when looking for updates, if the signature is invalid the update is aborted
  • Enforce that files are only updated if the checksum of the downloaded file matches the checksum in the feed file (as far as I know this is not done at the moment), this to ensure that you as an attacker can't leave the feed as it is and only modify the binaries.

This is a good method, but is a bit of work and requires that the publisher organizes specific certs for publishing updates.

We have a PR with this method at: https://github.com/synhershko/NAppUpdate/pull/45

Method 2

  • Create an option where the client validates that each downloaded binary is code signed using the same cert as the currently running version or one that has been white listed in the client

This is an quite straight forward fix, but it requires that the publisher has bought code sign certs and is not applicable to files that cannot be code signed (configuration files etc).

robinwassen avatar Mar 28 '17 06:03 robinwassen

Worth mentioning is that I have seen both methods applied in other update libraries.

robinwassen avatar Mar 28 '17 06:03 robinwassen

I prefer method 1. It solves the 2 issues you mentioned of method 2.

On Tue, Mar 28, 2017, 2:00 AM Robin Andersson [email protected] wrote:

Worth mentioning is that I have seen both methods applied in other update libraries.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/synhershko/NAppUpdate/issues/93#issuecomment-289671769, or mute the thread https://github.com/notifications/unsubscribe-auth/ADdhsSxrymvo2DxMJYp5RU8C7mTjZzOsks5rqKIZgaJpZM4Lqdrg .

vbjay avatar Mar 28 '17 14:03 vbjay