Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify setup authenticity during update #51

Closed
hugbug opened this issue Jul 10, 2015 · 2 comments

Comments

Projects
None yet
1 participant
@hugbug
Copy link
Member

commented Jul 10, 2015

When installing update via built-in update routine (Windows and Linux installers) the program downloads new setup from NZBGet download area.

The downloaded file must be verified before execution.

  • develop signing mechanism with public/private keys;
  • implement verification routine in NZBGet for usage from update scripts;
  • create a build script to generate file with signatures;
  • provide hosting for file with signatures;
  • include public key into Windows setup;
  • include public key into Linux installer;
  • put link to signatures files into update info file;
  • implement verification in Windows update script;
  • implement verification in Linux update script.

@hugbug hugbug added the feature label Jul 10, 2015

@hugbug hugbug added this to the v16.0 milestone Jul 10, 2015

@hugbug

This comment has been minimized.

Copy link
Member Author

commented Jul 10, 2015

Intro

Both Windows version and Linux version are compiled using OpenSSL. The verification mechanism must use OpenSSL functionality. This is because the update scripts cannot rely on any external programs such as GnuPG or similar. We can't expect those programs to exist on every system.

OpenSSL provides functions for signing and verification. During signing process we can use openssl-binary, which we can expect to be installed on the build machine. The verification must be implemented in NZBGet.

Create private key

openssl genrsa -out privkey.pem 2048

Export public key

openssl rsa -in privkey.pem -outform PEM -pubout -out pubkey.pem

Signing

openssl dgst -sha256 -sign privkey.pem -out installer-package.sig installer-package

Verifying

openssl dgst -sha256 -verify pubkey.pem -signature installer-package.sig installer-package

Verification in NZBGet

What command openssl dgst -verify does can be implemented in NZBGet using function RSA_verify.
Example code: http://sehermitage.web.fc2.com/program/src/rsacrypt.c

hugbug added a commit that referenced this issue Jul 10, 2015

hugbug added a commit that referenced this issue Jul 10, 2015

#51: implement signature verification
Command to verify:
    nzbget -n -B verify pubkey.pem signatures.txt installer-package

File “signatures.txt” can contain multiple signatures for many files -
one line per file, in format:
    RSA-SHA256(installer-package)= signature-hex-dump
@hugbug

This comment has been minimized.

Copy link
Member Author

commented Jul 11, 2015

Signatures are available for download from releases page. For example for v15.0 the file with signatures is nzbget-15.0.sig.txt. It includes hashes each hosted files:

  • MD5;
  • SHA1;
  • SHA256;
  • RSA-SHA256 - signed with RSA certificate. Can be verified using pubkey.pem.

hugbug added a commit to nzbget/nzbget.github.io that referenced this issue Jul 12, 2015

nzbget/nzbget#51: added link to signature file
into update info files for Windows and Linux

hugbug added a commit that referenced this issue Jul 13, 2015

@hugbug hugbug closed this Jul 13, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.