Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign Feed #93

Open
vbjay opened this issue Jan 22, 2017 · 5 comments
Open

Sign Feed #93

vbjay opened this issue Jan 22, 2017 · 5 comments

Comments

@vbjay
Copy link

vbjay commented Jan 22, 2017

Have the updater check signature of signed feeds. Use a key pair to sign file. Give the public key to apps They can verify they are getting a valid and trusted feed.

@synhershko
Copy link
Owner

We will not use a signature file, you can provide a SHA of the feed to be validated against - that would be a nice feature. Pull requests welcome :)

@vbjay
Copy link
Author

vbjay commented Jan 23, 2017 via email

@robinwassen
Copy link
Collaborator

This is a good security feature to prevent spread of malicious updates if the update source is compromised since the attacker won't be able to publish updates if he does not have the private key.

Method 1

  • Include a signature of the feed file inside the feed file that is validated by the client when looking for updates, if the signature is invalid the update is aborted
  • Enforce that files are only updated if the checksum of the downloaded file matches the checksum in the feed file (as far as I know this is not done at the moment), this to ensure that you as an attacker can't leave the feed as it is and only modify the binaries.

This is a good method, but is a bit of work and requires that the publisher organizes specific certs for publishing updates.

We have a PR with this method at: #45

Method 2

  • Create an option where the client validates that each downloaded binary is code signed using the same cert as the currently running version or one that has been white listed in the client

This is an quite straight forward fix, but it requires that the publisher has bought code sign certs and is not applicable to files that cannot be code signed (configuration files etc).

@robinwassen
Copy link
Collaborator

Worth mentioning is that I have seen both methods applied in other update libraries.

@vbjay
Copy link
Author

vbjay commented Mar 28, 2017 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants