1. 5

  2. 8

    I’m much, much more interested in this kind of “here are gotchas I’ve experienced using this thing that I actually really like and would still recommend” than bilious tear-downs

    1. 2

      We had to build a custom updater for Peerio (reusing parts from electron-builder and the Electron-native updater), because none of the current ones satisfied our requirements. While electron-builder’s updater and Squirrel.Mac verify signatures, they do so using the native code signing tools and checking that the company name in the certificate matches. Instead, we publish a plain-text manifest signed with OpenBSD’s signify (our version, but compatible format), which looks like this:

      untrusted comment: Peerio Updater manifest
      version: 2.37.1
      urgency: mandatory
      date: 2017-09-15T18:16:09.343Z
      linux-x64-file: https://github.com/PeerioTechnologies/peerio-desktop/releases/download/v2.37.1/peerio-2-linux-x86_64.AppImage
      linux-x64-sha512: d135a90809eace24cd741c97bb0044c5ab9b76c65e8bd6d6a8711f47e36e6070310b9e40b08f43660491ff3a29c89ce2a8bd452bf9912ee615a9c378db7b33d9
      linux-x64-size: 69271552

      We distribute two public keys with the program (one main and one backup); the program downloads this manifest, verifies signature, downloads the installer file for the current platform, verifies its hash and then perform the installation. As soon as we have the update, we just publish the new manifest into the location that the app checks and that’s it. Static files everywhere.

      Nothing new to this, it’s what secure updaters have been doing for a long time (e.g. Sparkle on Mac), but somehow with the web world, this has been forgotten and rewritten, with Node update servers and complicated code signing with unreliable PKI.

      This also allows us to implement a public chain of trusted hashes in the future, making sure everyone gets the same update in a verifiable way.

      Simple signed plaintext manifest is also convenient to parse with Unix tools, making it easy to verify signature manually before downloading binaries (you’ll have to get our signify public keys for that, of course).

      1. 2

        I like the obfuscation part :D

        if your static password leaks you’re not winning anything

        uh… “leaks”, yeah. if you want to actually use the package you encrypted, the password has to be included in the code, or downloaded from somewhere — either way ends up on the client’s memory.