Update notification #478
Update notification #478
Conversation
rithvikvibhu
added
the
needs translation
|
Concept ACK! Would it be crazy to help users verify the PGP sig on new dowloads as well? I dunno if that makes sense, theoretically a compromised verion could convince a user to download additional compromised versions.... but maybe there is something we can do? Im curious if other crypto-sensitive software handles releases in any special way like that. |
I think we can add more info in release docs and on the website on how to verify checksum and gpg easily (#436, #214). Making the software itself verify an upgrade will complicate things imo - this would mean moving the download/install/update process inside the wallet which is messy when cross-platform. |
rithvikvibhu
force-pushed
the
check-for-updates
branch
from
b05d504 to
791a029
Compare
| try { | ||
| const releases = await ( | ||
| await fetch( | ||
| 'https://api.github.com/repos/kyokan/bob-wallet/releases' |
There was a problem hiding this comment.
Mine as well check some kind of signature, even if its a brand new bob-release-update published by kyokan. Especially because you use url: latestRelease.html_url, down below. Giving users a link to click is a target for attacks, treat it like a nuclear bomb.
There was a problem hiding this comment.
Wow didn't think of that. Unlikely, but def possible.
How about always linking to https://github.com/kyokan/bob-wallet/releases/tag/{TAG} instead of latestRelease.html_url?
Not sure what signature can be checked here. Do you mean like with PGP? It's just a link so no info to verify.
There was a problem hiding this comment.
Look around how other popular wallets like Electrum and Wasabi handle this. Hard coding the link feels good. As far as signature what I meant was that Kyokan should publish a new key (hey maybe an HNS address so we can use rpc verify message) and Bob will verify an update notification from whatever source. I dunno if it's possible to check that the release signature on github is correct before notifying the user. Whatever works out, just keep in mind attackers would love to get Bob users to download malware with one button click, so line up the troops.
There was a problem hiding this comment.
Updated to prefix url and only use tag. imo the only way to break this would be to MITM a HTTPS req to github.com, which if someone can do, there are bigger problems already.
maybe an HNS address so we can use rpc verify message
Requires the node to be synced :|
I dunno if it's possible to check that the release signature on github is correct before notifying the user.
Afaik, no. We could download another file and check that, but again relies on an external source, mostly over https, with the same attack vectors as https://github.com. Additionally, verifying a file would mean downloading the actual binary from within Bob which feels more dangerous.
There was a problem hiding this comment.
Requires the node to be synced :|
no, just the address, not the NAME.
I keep Bob running forever. Does it mean I won't be notified? |
|
@Falci heh. Releases aren't really frequent (2 per year?). Having a setInterval seems like overkill imo. Wdyt? |
| @@ -28,7 +28,7 @@ export const checkForUpdates = () => async (dispatch) => { | |||
| type: SET_UPDATE_AVAILABLE, | |||
| payload: { | |||
| version: latestRelease.tag_name, | |||
| url: latestRelease.html_url, | |||
| url: `https://github.com/kyokan/bob-wallet/releases/tag/${latestRelease.tag_name}`, | |||
rithvikvibhu
force-pushed
the
check-for-updates
branch
from
58dc66b to
b354c4e
Compare
rithvikvibhu
removed
the
needs translation
Useful comprehensive guides: - https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core - https://bitcoincore.org/en/download/ - https://bitcoin.stackexchange.com/questions/50185/how-to-verify-bitcoin-core-release-signing-keys - https://www.getmonero.org/resources/user-guides/verification-allos-advanced.html - https://docs.wasabiwallet.io/using-wasabi/InstallPackage.html - https://help.ubuntu.com/community/HowToSHA256SUM Re: - kyokan#436 - kyokan#280 - kyokan#478 (comment) - kyokan#214 This new section could be linked/included into release tags. [ci skip]
Useful comprehensive guides: - https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core - https://bitcoincore.org/en/download/ - https://bitcoin.stackexchange.com/questions/50185/how-to-verify-bitcoin-core-release-signing-keys - https://www.getmonero.org/resources/user-guides/verification-allos-advanced.html - https://docs.wasabiwallet.io/using-wasabi/InstallPackage.html - https://help.ubuntu.com/community/HowToSHA256SUM Re: - kyokan#436 - kyokan#280 - kyokan#478 (comment) - kyokan#214 This new section could be linked/included into release tags. [ci skip]
Useful comprehensive guides: - https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core - https://bitcoincore.org/en/download/ - https://bitcoin.stackexchange.com/questions/50185/how-to-verify-bitcoin-core-release-signing-keys - https://www.getmonero.org/resources/user-guides/verification-allos-advanced.html - https://docs.wasabiwallet.io/using-wasabi/InstallPackage.html - https://help.ubuntu.com/community/HowToSHA256SUM Re: - kyokan#436 - kyokan#280 - kyokan#478 (comment) - kyokan#214 This new section could be linked/included into release tags. [ci skip]
Useful comprehensive guides: - https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core - https://bitcoincore.org/en/download/ - https://bitcoin.stackexchange.com/questions/50185/how-to-verify-bitcoin-core-release-signing-keys - https://www.getmonero.org/resources/user-guides/verification-allos-advanced.html - https://docs.wasabiwallet.io/using-wasabi/InstallPackage.html - https://help.ubuntu.com/community/HowToSHA256SUM Re: - kyokan#436 - kyokan#280 - kyokan#478 (comment) - kyokan#214 This new section could be linked/included into release tags. [ci skip]
Useful comprehensive guides: - https://www.reddit.com/r/Bitcoin/wiki/verifying_bitcoin_core - https://bitcoincore.org/en/download/ - https://bitcoin.stackexchange.com/questions/50185/how-to-verify-bitcoin-core-release-signing-keys - https://www.getmonero.org/resources/user-guides/verification-allos-advanced.html - https://docs.wasabiwallet.io/using-wasabi/InstallPackage.html - https://help.ubuntu.com/community/HowToSHA256SUM Re: - kyokan#436 - kyokan#280 - kyokan#478 (comment) - kyokan#214 This new section could be linked/included into release tags.
Checks for updates on Bob Wallet start, and if a new stable release is found, shows a notification in sidebar and clicking on it opens the GitHub release page for that version:
Uses
semverto compare, so RCs and others are handled properly. Just need to make sure that release tags are in formatv${version}(likev0.9.0), which we've already been doing.