Verify setup authenticity during update #51

hugbug · 2015-07-10T16:02:31Z

When installing update via built-in update routine (Windows and Linux installers) the program downloads new setup from NZBGet download area.

The downloaded file must be verified before execution.

develop signing mechanism with public/private keys;
implement verification routine in NZBGet for usage from update scripts;
create a build script to generate file with signatures;
provide hosting for file with signatures;
include public key into Windows setup;
include public key into Linux installer;
put link to signatures files into update info file;
implement verification in Windows update script;
implement verification in Linux update script.

hugbug · 2015-07-10T17:35:47Z

Intro

Both Windows version and Linux version are compiled using OpenSSL. The verification mechanism must use OpenSSL functionality. This is because the update scripts cannot rely on any external programs such as GnuPG or similar. We can't expect those programs to exist on every system.

OpenSSL provides functions for signing and verification. During signing process we can use openssl-binary, which we can expect to be installed on the build machine. The verification must be implemented in NZBGet.

Create private key

openssl genrsa -out privkey.pem 2048

Export public key

openssl rsa -in privkey.pem -outform PEM -pubout -out pubkey.pem

Signing

openssl dgst -sha256 -sign privkey.pem -out installer-package.sig installer-package

Verifying

openssl dgst -sha256 -verify pubkey.pem -signature installer-package.sig installer-package

Verification in NZBGet

What command openssl dgst -verify does can be implemented in NZBGet using function RSA_verify.
Example code: http://sehermitage.web.fc2.com/program/src/rsacrypt.c

Command to verify: nzbget -n -B verify pubkey.pem signatures.txt installer-package File “signatures.txt” can contain multiple signatures for many files - one line per file, in format: RSA-SHA256(installer-package)= signature-hex-dump

hugbug · 2015-07-11T19:35:53Z

Signatures are available for download from releases page. For example for v15.0 the file with signatures is nzbget-15.0.sig.txt. It includes hashes each hosted files:

MD5;
SHA1;
SHA256;
RSA-SHA256 - signed with RSA certificate. Can be verified using pubkey.pem.

into update info files for Windows and Linux

from Linux update script

hugbug added the feature label Jul 10, 2015

hugbug added this to the v16.0 milestone Jul 10, 2015

hugbug added a commit that referenced this issue Jul 10, 2015

#51: added public key to repository

c1fcf0b

hugbug added a commit that referenced this issue Jul 10, 2015

#51: added public key to Linux installer

39063e4

hugbug added a commit that referenced this issue Jul 11, 2015

#51: signatures file format compatible with jsonp

d2f6350

hugbug added a commit to nzbget/nzbget.github.io that referenced this issue Jul 12, 2015

nzbget/nzbget#51: added link to signature file

5f5709a

into update info files for Windows and Linux

hugbug added a commit that referenced this issue Jul 12, 2015

#51: implemented signature verification in Linux update script

9864184

hugbug added a commit that referenced this issue Jul 13, 2015

#51: implemented verification in Windows update script

f28e1e7

hugbug added a commit that referenced this issue Jul 13, 2015

#51: removed extra switch when calling nzbget

fde5f7e

from Linux update script

hugbug closed this as completed Jul 13, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verify setup authenticity during update #51

Verify setup authenticity during update #51

hugbug commented Jul 10, 2015

hugbug commented Jul 10, 2015

hugbug commented Jul 11, 2015

Verify setup authenticity during update #51

Verify setup authenticity during update #51

Comments

hugbug commented Jul 10, 2015

hugbug commented Jul 10, 2015

Intro

Create private key

Export public key

Signing

Verifying

Verification in NZBGet

hugbug commented Jul 11, 2015