Automatic Script Updater

[Sven Krohlas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heya,

> An update is only applied if it has a valid digital signature. To
> create such a signature, one needs to have the private key. The
> private key is additionally protected by a password. The signature
> algorithm used is RSA with a key length of 2048 bit.
> This system is what is considered secure by the current state of
> technology and science and is used widely wherever the integrity of
> documents/files/whatever needs to be protected. You can ask security
> experts for confirmation if you like; but as a CompSci student I'm
> very confident that this statement is correct.

Yes. Should be enough for some time or until quantum computing works.


> There are two cases that digital signing can't and won't protect against:
[snip]
There is at least a third one:
If the attacker is able to manipulate files on the server he can, depending
on the implementation of the upgrade algorithm, put _older_ versions there.
With the correct signatures he got from back then. So an attacker could
possible bring older, vulnerable code back to the user.
So version information has to be signed, too, and checked to make sure the
version on the server is really newer than the installed one.


> Workflow for releasing an update.
> 
> Whoever creates the update sends it to a developer who has access to
> the private key. The developer (ideally) reviews the update, then
> packs it into an archive called "main.tar.bz2", creates a signature
> (in a file called "signature"), and a file called "version" that
> contains the version of the updated script. These three files are then
> put to <base-url>/<scriptname>/ (for instance
> "amarok.kde.org/update/lyrics_lyricwiki/"). Done. Now, whenever an
> Amarok client starts up, it will see the update and apply it.

Meeeeeh!
The version file is not signed in this scheme. So any version information
taken from here can't be seen as trustworthy in further steps.


> The versions of the currently installed scripts are read from their
> respective script.spec files.

Why this extra file with the version then?
Just to create the final package? Then it's ok, I think, iff later we
only use the one from the script.spec file and nothing else.
But couldn't we just simply use the version from the script.spec file
everywhere?

cu
- --
Darkerradio Free Music Charts:
http://www.darkerradio.com/news/free-music-charts-september-2009/
Klarmachen zum Ändern! -> http://www.piratenpartei.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkrNn0sACgkQOOggGLjBlhZ4jwCgxQuCZvKJGShjIfwIY2ysEq/j
fQMAoJEtJpHqsIeq+gSI+kwQIN8GIE0q
=7Aod
-----END PGP SIGNATURE-----