How to use/test ? Missing versions.gz

[JPFrancoia]

Hi,

I'm still investigating this very promising module. I have a few questions though.

• Is it really mandatory to sign the packages ?
• I can't figure out how to use pyupdater. I followed the steps here: http://www.pyupdater.org/usage-cli/ (except for the signing part). I created a pyupdater repo, I have a python script ready to upgrade itself, I packaged the script with my spec file, I processed the packages, etc, but I can't manage to start the update process.

Here is what I have in my deploy folder:

ChemBrows  ChemBrows-nix64-0.9.8.tar.gz  ChemBrows-nix64-0.9.9.tar.gz

ChemBrows is the extracted executable from ChemBrows-nix64-0.9.8.tar.gz. In the folder, there is the next version of my software. ChemBrows will simply do basic stuff for now:

        client = Client(ClientConfig())
        client.refresh()

        client.add_progress_hook(self._printStatus)

        app_update = client.update_check(client.app_name, version)

        print(app_update)

I then start a local python server (python -m http.server 8000) in the deploy folder.

When I start ChemBrows, here is the log of the python server:

127.0.0.1 - - [27/Sep/2016 12:07:06] code 404, message File not found
127.0.0.1 - - [27/Sep/2016 12:07:06] "GET /keys.gz HTTP/1.1" 404 -
127.0.0.1 - - [27/Sep/2016 12:07:06] code 404, message File not found
127.0.0.1 - - [27/Sep/2016 12:07:06] "GET /versions.gz HTTP/1.1" 404 -

And of course, print(app_update) returns None.

It is obvious I'm missing something here. Is it possible to have more details about how the files should be stored on the remote server, and about how to get the missing files ?

[JMSwag]

I'm pretty sure this is the bug I found today at work. There is an issue somewhere with importing the keyfile. I'm investigating now.

[JPFrancoia]

Something like no key file, no versions.gz file ?

[JMSwag]

First let me apologize for not answering your questions.

Signing is essential to the security of this library. It adds a signature to the version file which the client verifies with the public key. Signing also generates the versions.gz & keys.gz archives. Once you have those the call to update_check will return an update object which you can call the downlod & extract_restart to complete your update.

The bug mentioned above is unrelated to this.

Will you be using AWS S3 or your own server? May I ask why you don't want to sign your metadata?

[JPFrancoia]

First let me apologize for not answering your questions.

Don't worry, we all have a job and we are all busy.

Signing is essential to the security of this library. It adds a signature to the version file which the client verifies with the public key. Signing also generates the versions.gz & keys.gz archives.

So basically, I have to sign my package to get those two files ? My bad if I didn't follow completely the procedure, I thought I could bypass the signing part.

Will you be using AWS S3 or your own server?

Nope, I'll be using a shared server (provider: OVH). I'll upload the files via FTP.

May I ask why you don't want to sign your metadata?

No particular reason. I've never done it, so I don't know what the benefits could be (maybe you can tell me more about it, or give me a link ?).

For now I'm just testing, so I thought I could start without the additional layer of complexity that the signing part is.

[JMSwag]

PyUpdater is a simplified, but still relatively secure, version of TUF.
Example of updating with the TUF client.

Check the TUF spec. It's good!

[privateOmega]

@JMSwag Sorry for commenting on an old issue, but I didnt want to open a new one since I am also stuck with the whole versions.gz file being missing.

Would versions.gz be generated only during signing, and could we bypass that?

Tbh, I am not able to follow the process of creating a keypack and signing it, and I am doing a POC and wanted a minimal attempt.