-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perform DSA signature verification in SparkleUpdateInfoProvider #200
Comments
Would this not be covered by the VirusTotal postprocessor for those interested?
…Sent from my iPhone
On May 6, 2017, at 12:15 PM, Victor Vrantchan ***@***.***> wrote:
Recently, the Handbrake download was compromised to distribute a version of known malware.
Would it be possible for AutoPKG to check for the known, bad version of this software or is this out of scope?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Hi folks, So, I wonder if we could add a DSA signature check somehow to the Sparkle processor? With Sparkle, you can sign an update. Within the AppCast.xml there is the DSA, as per:
An app bundles info.plist should give details to the name of it's public key name, which is round in the /Resources folder within the app bundle:
FWIW, these examples were taken from AutoCasperNBI.. but Handbrake has the same. |
if the DSA sig can be calculated via AutoPkg, I can test creating an app & invalidating the DSA |
I remember looking at this possibility when first working on the It seems reasonable to me that if the code to do the signature verification could be done using no additional Python dependencies and work on all supported versions of macOS, then this could be worth doing as yet another validation of the download. One way to implement this would be to implement the same verification code that Sparkle does (using CommonCrypto and PyObjC), or perhaps even better would be to use the pyobjc library support for dynamically adding your own bridgesupport metadata and actually load the Sparkle framework included with the app. The advantage is that you avoid re-implementing the verification code, and the disadvantage is trading one instability for another - relying on a method provided by the Sparkle framework whose signature may change subtly in different versions. Either way there are some concerns here to make it so that this works consistently across different OS versions and/or bundled Sparkle frameworks. |
Recently, the Handbrake download was compromised to distribute a version of known malware.
Would it be possible for AutoPKG to check for the known, bad version of this software or is this out of scope?
Edit: the download was fixed, so this issue is more of a FYI for anyone that updated handbrake recently.
The text was updated successfully, but these errors were encountered: