Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement hash validation on packages for file integrity check / incremental download / re-use download #6

Open
mikehardy opened this issue Mar 13, 2019 · 3 comments
Open

Implement hash validation on packages for file integrity check / incremental download / re-use download #6

mikehardy opened this issue Mar 13, 2019 · 3 comments
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed
Milestone
Next Release

Comments

@mikehardy
Copy link
Owner

The system should be able to pull a checksum from the version.json and verify the signature matches prior to applying the update
@mikehardy mikehardy added the enhancement New feature or request label Mar 13, 2019
@mikehardy mikehardy added this to the Next Release milestone Mar 13, 2019
@mikehardy mikehardy self-assigned this Mar 13, 2019
@mikehardy mikehardy added help wanted Extra attention is needed good first issue Good for newcomers labels Mar 13, 2019
@mikehardy mikehardy changed the title Implement signature validation on packages Implement hash validation on packages for file integrity check Mar 13, 2019
@mikehardy
Copy link
Owner Author

This should be possible in a backwards-compatible way. "As of 2012 best practice recommendation is to use SHA-2" (which implies SHA256 as the most popular implementation of that family of file integrity hash

https://en.wikipedia.org/wiki/File_verification#File_formats

@mikehardy mikehardy removed their assignment Mar 13, 2019
@mikehardy
Copy link
Owner Author

When this is done, it should also be possible to do incremental downloads, and to see if an existing file already present in the cache directory matches the intended download

This was referenced Apr 29, 2019
Closed
Open
@mikehardy
Copy link
Owner Author

I am currently working on an app that uses this library, and I generate a JSON like this - with correct sha256 -anticipating support for the extra elements here soon:

{
  "versionName": "1.0.1-pre2085.staging",
  "apkUrl": "https://my.awesome.app.com/MyAwesomeApp-latest-staging.apk",
  "versionCode": "12085",
  "size": 26155737,
  "sha256": "168c6f480f9f94345490ed246041a35c3acf09872a606b5a00936d47d49ac9d5",
  "forceUpdate": false
}

Could possibly add the checksum for the signing cert as well, as signing cert clashes are a hard fail on install

Errors in validation should be reported with onError hook (#14) with messages prefixed as 'errorXXX' (e.g., 'errorInvalidChecksum', 'errorCertMismatch' etc)

@mikehardy mikehardy mentioned this issue Aug 12, 2019
Closed
@mikehardy mikehardy changed the title Implement hash validation on packages for file integrity check Implement hash validation on packages for file integrity check / incremental download / re-use download Aug 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
Next Release
Development

No branches or pull requests
1 participant
@mikehardy