Verify setup authenticity during update #51
Comments
IntroBoth Windows version and Linux version are compiled using OpenSSL. The verification mechanism must use OpenSSL functionality. This is because the update scripts cannot rely on any external programs such as GnuPG or similar. We can't expect those programs to exist on every system. OpenSSL provides functions for signing and verification. During signing process we can use openssl-binary, which we can expect to be installed on the build machine. The verification must be implemented in NZBGet. Create private key
Export public key
Signing
Verifying
Verification in NZBGetWhat command |
Command to verify: nzbget -n -B verify pubkey.pem signatures.txt installer-package File “signatures.txt” can contain multiple signatures for many files - one line per file, in format: RSA-SHA256(installer-package)= signature-hex-dump
Signatures are available for download from releases page. For example for v15.0 the file with signatures is nzbget-15.0.sig.txt. It includes hashes each hosted files:
|
into update info files for Windows and Linux
When installing update via built-in update routine (Windows and Linux installers) the program downloads new setup from NZBGet download area.
The downloaded file must be verified before execution.
The text was updated successfully, but these errors were encountered: