New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ensure that update only to the application signed with same cert #1187

Closed
cumajkeee opened this Issue Jan 30, 2017 · 24 comments

Comments

Projects
None yet
5 participants
@cumajkeee

cumajkeee commented Jan 30, 2017

I want to be sure that Windows (NSIS) application can update only to the application signed with same cert.

For Squirrel.Mac it works. When I try to update Mac application, that is not signed/signed with different cert to the correct application (signed with correct cert) I get error during update.

Same thing seems not working for Windows one.

@develar, could you please suggest something?
Thanks in advance.

@develar

This comment has been minimized.

Member

develar commented Jan 30, 2017

It is planned functionality. And must-have functionality since Windows security model just *** and cannot protect users.

https://technet.microsoft.com/en-us/library/ee176840.aspx will be used to verify that update is signed and signed exactly by you.

@develar develar changed the title from [Question] How I can ensure I'm updating to the signed applicaiton to ensure that update only to the application signed with same cert Jan 30, 2017

@cumajkeee

This comment has been minimized.

cumajkeee commented Jan 30, 2017

Perfect, thanks! Is it up in backlog, or planned for someday? :)

@develar

This comment has been minimized.

Member

develar commented Jan 30, 2017

planned for someday

... when all critical issues like #1106 or #1172 will be fixed.

Issue is not closed backlog, so, it is planned to be fixed in short term (but as it is an open source project, it can took years :) without PR or donation).

@JanEgner

This comment has been minimized.

JanEgner commented Feb 10, 2017

Just wondering if there's going to be an easy way to cover the case of an expiring code signing certificate, i.e. when the update must be signed using a different certificate than the one used for the installed version, but both certs are issued to the same person/org.

@develar

This comment has been minimized.

Member

develar commented Feb 10, 2017

@JanEgner Expired Code Signed Cert is always valid regardless is it expired or not. Because electron-builder always sign it using timestamp server. http://stackoverflow.com/a/4417480/1910191

@JanEgner

This comment has been minimized.

JanEgner commented Feb 10, 2017

@develar Yes, but some day my cert will expire and I will have to get a new one. Stuff that I signed in the past, using the now-expired cert, will continue to be considered signed. But for my next update I need to use the new cert - i.e. a different one than for the installed version.
This would be an issue if you plan to check that the cert fingerprint is the same for the update as for the installed app.

@develar

This comment has been minimized.

Member

develar commented Feb 10, 2017

@JanEgner Yes. Nice question. Will be checked not by cert SHA256/SHA1, but by "Issued to" field. So, during build electron-builder will remember certificate publisher and on update exe signature will be verified:

  1. must be signed and valid.
  2. publisher still the same.
@JanEgner

This comment has been minimized.

JanEgner commented Feb 10, 2017

Yes, that sounds great!
(unless the publishing company changes its name - which my employer did several times in the past years - so it would be extra-cool to be able to set an alternative accepted publisher name during build).

develar added a commit to develar/electron-builder that referenced this issue Feb 10, 2017

develar added a commit to develar/electron-builder that referenced this issue Feb 11, 2017

develar added a commit to develar/electron-builder that referenced this issue Feb 12, 2017

@cumajkeee

This comment has been minimized.

cumajkeee commented May 3, 2017

Hey @develar, there is some extra work planned for this issue?

MariaDima added a commit to MariaDima/electron-builder that referenced this issue Jun 5, 2017

develar added a commit to develar/electron-builder that referenced this issue Jun 6, 2017

develar added a commit to develar/electron-builder that referenced this issue Jun 6, 2017

develar added a commit to develar/electron-builder that referenced this issue Jun 6, 2017

develar added a commit to develar/electron-builder that referenced this issue Jun 6, 2017

@develar develar closed this in 66771d3 Jun 6, 2017

@develar

This comment has been minimized.

Member

develar commented Jun 6, 2017

Please use win.forceCodeSigningVerification to disable this check. Check is not performed if app is not signed.

@JanEgner

This comment has been minimized.

JanEgner commented Jun 6, 2017

Awesome - thanks a lot @MariaDima and @develar!

@cumajkeee

This comment has been minimized.

cumajkeee commented Jun 8, 2017

@develar, @MariaDima I still can update signed application to not signed.

@develar

This comment has been minimized.

Member

develar commented Jun 8, 2017

@cumajkeee Please specify version of electron-updater. Is "signed application" was build by latest electron-builder (specify version).

@cumajkeee

This comment has been minimized.

cumajkeee commented Jun 8, 2017

"electron-updater": "2.1.1",
"electron-builder": "18.6.2"

@cumajkeee

This comment has been minimized.

cumajkeee commented Jun 8, 2017

Any updates so far?

@develar

This comment has been minimized.

Member

develar commented Jun 8, 2017

@cumajkeee As soon as my working day will be over, I will take a look ;)

@MariaDima

This comment has been minimized.

Contributor

MariaDima commented Jun 9, 2017

I checked, but with latest electron-updater 2.1.2.
I get errors for the cases where the update has not been signed at all or has been signed using a "different" certificate.

@develar

This comment has been minimized.

Member

develar commented Jun 9, 2017

@MariaDima Thans for verification.
@cumajkeee Please ensure that there is publisherName in your app-update.yml file (this field automatically added by electron-builder).

@MariaDima

This comment has been minimized.

Contributor

MariaDima commented Jun 9, 2017

One more note:
In case someone uses the setFeedURL method, you need to make sure you update the options with the proper "publisherName".

@KochiyaOcean

This comment has been minimized.

KochiyaOcean commented Jun 13, 2017

Is update of an unsigned application still allowed?

@develar

This comment has been minimized.

Member

develar commented Jun 13, 2017

@KochiyaOcean Must be not in the latest electron-updater.

@KochiyaOcean

This comment has been minimized.

KochiyaOcean commented Jun 13, 2017

@develar OK I think I would stuck on electron-updater@1 until found an affordable cert.

@develar

This comment has been minimized.

Member

develar commented Jun 14, 2017

@KochiyaOcean If your app is unsigned at all, update of an unsigned application is allowed. You are not forced to use code signing on Windows.

@KochiyaOcean

This comment has been minimized.

KochiyaOcean commented Jun 14, 2017

@develar Understood. Thanks 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment