update wingetui itself from github #1925
Replies: 6 comments 2 replies
-
Because using my own server allows me to customize how updates work, how they are checked, and to add a different endpoint. Let's say, for example, my GitHub account gets hacked: I could still set the latest version to zero with an invalid hash and no one could publish an update with malware through the built-in updater. |
Beta Was this translation helpful? Give feedback.
-
so currently the update is done by checking on your website a link towards to github with a hash check, and the actual exe is actually downloaded from github? is this mechanism documented anywhere by curiosity? |
Beta Was this translation helpful? Give feedback.
-
Thanks for the clarifications, i think i better understand now. I usually use and like open source apps for their simplicity and cleanness and because i am able to easilly identify endpoints (using some interactive firewall). Normally i am expecting the app to connect to the bare minimum endpoints needed to fulfil their jobs (in this case connecting to each of the package manager endpoints). Some thoughts on the current approach:
I took a look in the code and even though I don't code in C# i was able to understand and was expecting this mechanism in the app. The missing puzzle is - How is the hash and version updated in the website page - is it done automatically or do you type it manually? |
Beta Was this translation helpful? Give feedback.
-
I asked AI for an example of such self-update implementation. I think it should be usable as guidance. There are a few options available for implementing a self-update mechanism for a C# Windows desktop application using GitHub Releases. Here's an example of how you might implement such a mechanism using GitHub Releases and Squirrel.Windows:
Self-updating a C# Windows desktop app can be implemented safely by having the app call an external updater program, which handles the update process separately from the main app. This approach ensures that the update process does not interfere with the functioning of the main app. Additionally, some developers recommend maintaining accurate DLL versions and ensuring that the updater can update itself. Overall, while developing a custom self-updating mechanism requires careful consideration and testing, it appears to be a viable option for managing software updates. However, it is essential to keep security best practices in mind during development and implementation to avoid potential vulnerabilities. Here's an example of what the updated start code might look like:
...But what about my other idea, to self update from within wingetUI itself via winget/chocolatey? |
Beta Was this translation helpful? Give feedback.
-
Regarding hash check, AI replied: Assuming that you are using GitHub releases to distribute your application updates, one way to ensure app integrity through hash checks is to include a precomputed hash value alongside each released executable. This allows users to validate the authenticity and integrity of the downloaded file by checking its corresponding hash value after the download completes. To achieve this, you could follow these general steps:
By incorporating hash checks into your self-update mechanism, you can enhance the overall security posture of your application distribution pipeline and improve end-user trust. Keep in mind that including regular security audits and practicing good coding hygiene throughout your development cycle will further strengthen the robustness of your solution. |
Beta Was this translation helpful? Give feedback.
-
Will investigate this, but I am not sure if I will change the updater |
Beta Was this translation helpful? Give feedback.
-
currently wingetui uses www.marticliment.com (if i am not wrong) to check for updates. why not update from github instead?
Beta Was this translation helpful? Give feedback.
All reactions