Sign Feed

[vbjay]

Have the updater check signature of signed feeds. Use a key pair to sign file. Give the public key to apps They can verify they are getting a valid and trusted feed.

[synhershko]

We will not use a signature file, you can provide a SHA of the feed to be validated against - that would be a nice feature. Pull requests welcome :)

[vbjay]

No signature file. I meant the signature would be part of the feed. The feed builder could generate RSA keys and let the user export the public key. The app could use the public key to verify feed signature to know it was published by allowed publisher.

…

On Sun, Jan 22, 2017, 2:08 PM Itamar Syn-Hershko ***@***.***> wrote: We will not use a signature file, you can provide a SHA of the feed to be validated against - that would be a nice feature. Pull requests welcome :) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#93 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADdhse9X9Xl38i0vv04pnrH-wPnYc6o4ks5rU6ktgaJpZM4Lqdrg> .

[robinwassen]

This is a good security feature to prevent spread of malicious updates if the update source is compromised since the attacker won't be able to publish updates if he does not have the private key.

Method 1

• Include a signature of the feed file inside the feed file that is validated by the client when looking for updates, if the signature is invalid the update is aborted
• Enforce that files are only updated if the checksum of the downloaded file matches the checksum in the feed file (as far as I know this is not done at the moment), this to ensure that you as an attacker can't leave the feed as it is and only modify the binaries.

This is a good method, but is a bit of work and requires that the publisher organizes specific certs for publishing updates.

We have a PR with this method at: #45

Method 2

• Create an option where the client validates that each downloaded binary is code signed using the same cert as the currently running version or one that has been white listed in the client

This is an quite straight forward fix, but it requires that the publisher has bought code sign certs and is not applicable to files that cannot be code signed (configuration files etc).

[robinwassen]

Worth mentioning is that I have seen both methods applied in other update libraries.

[vbjay]

I prefer method 1. It solves the 2 issues you mentioned of method 2.

…

On Tue, Mar 28, 2017, 2:00 AM Robin Andersson ***@***.***> wrote: Worth mentioning is that I have seen both methods applied in other update libraries. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#93 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADdhsSxrymvo2DxMJYp5RU8C7mTjZzOsks5rqKIZgaJpZM4Lqdrg> .