Add option to verify updates before extraction #2667

zorgiepoo · 2024-11-25T19:27:47Z

Adds an opt-in option (SUVerifyUpdateBeforeExtraction) to enforce verifying updates before extracting them for stronger security. EdDSA signing is required to use this option. As fallback in case EdDSA keys are lost, disk image archives's code signatures are validated assuming it's Developer ID signed. Key rotation is still possible.

Apple Archives (aar, yaa) now require using this option.

Fixes #2590

Misc Checklist

My change requires a documentation update on Sparkle's website repository
My change requires changes to generate_appcast, generate_keys, or sign_update

Testing

I tested and verified my change by using one or multiple of these methods:

Sparkle Test App
Unit Tests
My own app
Other (please specify)

Updating Sparkle Test App with zip works (EDDSA signed, adhoc bundle signed, SUVerifyUpdateBeforeExtraction = YES)
Updating Sparkle Test App with zip works (EDDSA signed, adhoc bundle signed, SUVerifyUpdateBeforeExtraction = NO)
Updating app with zip works (EDDSA signed, Developer ID signed, SUVerifyUpdateBeforeExtraction = NO)
Updating app with aar works (EDDSA signed, Developer ID signed, SUVerifyUpdateBeforeExtraction = YES)
Updating app with aar fails (EDDSA signed, Developer ID signed, SUVerifyUpdateBeforeExtraction = NO)
Updating app with aar fails (EDDSA signed, Developer ID signed, SUVerifyUpdateBeforeExtraction omitted (same as NO))
Updating app with SUVerifyUpdateBeforeExtraction with code signed Developer ID fails when both old/new EdDSA signature fails (but Apple code signing validation succeeds!)
Updating app with SUVerifyUpdateBeforeExtraction with code signed Developer ID fails when both EdDSA signature fails and dmg archive is not code signed
Updating app with SUVerifyUpdateBeforeExtraction with code signed Developer ID fails when both EdDSA signature fails and dmg archive is adhoc signed (but not Dev ID signed matching original app)
Updating app with SUVerifyUpdateBeforeExtraction with code signed Developer ID succeeds when EdDSA signature succeeds and dmg archive is adhoc signed (but not Dev ID signed matching original app)
Using SUVerifyUpdateBeforeExtraction without any EdDSA key does fail
Using new EdDSA key, same developer ID signing from dmg, rotation works (SUVerifyUpdateBeforeExtraction = YES)
Using new EdDSA key, adhoc signing on bundle, developer ID signing from dmg, fails (b/c adhoc sig has no team id) (SUVerifyUpdateBeforeExtraction = YES)
Using new EdDSA key, development cert (not developer ID) signing on bundle, developer ID signing from dmg, succeeds (b/c even though old app is signed with wrong cert, it has same team id, and new download is validated with that team id & developer id signing) (SUVerifyUpdateBeforeExtraction = YES)
Using new EdDSA key, development cert (not developer ID) signing on bundle, development cert (not developer ID) signing from dmg, fails (b/c archive needs to be Developer ID code signed, even though team ids match) (SUVerifyUpdateBeforeExtraction = YES)

macOS version tested: 15.1 (24B83)

* Don't allow removal of (Ed)DSA keys for pre-validated updates (delta updates, .aar updates) * Don't allow removal of code signing identity in new update (at minimum, an adhoc signature can be used)

This optional key enforces signing verification on the download archive before the archive is extracted. As fallback to EdDSA verification, Sparkle can validate Apple code signed disk image files. This key is now required if aar (Apple Archive) archives are distributed as well.

…g is used

zorgiepoo added 21 commits October 19, 2024 16:49

Don't allow removal of signing keys more strictly

da10651

* Don't allow removal of (Ed)DSA keys for pre-validated updates (delta updates, .aar updates) * Don't allow removal of code signing identity in new update (at minimum, an adhoc signature can be used)

Avoid obtaining migratesDSAKeys for pre-validate path

c0f4b7a

Update signing rotation tests

a5b7b17

Add clarity to code signing certificate

5347398

Merge branch '2.x' into require-signing-key

58cf3f9

Add safe checks against nil errors

ec1c7d7

Merge branch '2.x' into require-signing-key

199bfda

Merge branch '2.x' into require-signing-key

554a01a

Merge branch '2.x' into require-signing-key

a8dd354

Check for new EdDSA key verification if fallback on Apple code signin…

5ba23a7

…g is used

Enhance signing validation error messages

68cb145

Fix bug where error object was not populated

5aab17c

Ensure team identifier is extracted

50ee635

Use separate error variable for failure

c5d317e

Improve error messages if download archive signing validation fails

b8f96af

Require EdDSA signing if SURequireSignedArchives is used

f3e0e6f

Rename key to SUVerifyUpdateBeforeExtraction

1f848c1

Rename one more instance of verify before extraction key

8157076

Add tests for verifying developer ID signed disk image

529040a

Add test for invalid matching adhoc signed dmg

355568a

zorgiepoo added this to the 2.7 milestone Nov 25, 2024

zorgiepoo mentioned this pull request Nov 25, 2024

Improve security for validating archives #2590

Closed

zorgiepoo added 2 commits December 7, 2024 14:56

Merge branch '2.x' into verify-before-extraction

42a0e15

Bump current project version to 2042

7666612

zorgiepoo merged commit 1ca60d5 into 2.x Dec 9, 2024
2 checks passed

zorgiepoo deleted the verify-before-extraction branch December 9, 2024 00:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add option to verify updates before extraction #2667

Add option to verify updates before extraction #2667

zorgiepoo commented Nov 25, 2024 •

edited

Loading

Add option to verify updates before extraction #2667

Add option to verify updates before extraction #2667

Conversation

zorgiepoo commented Nov 25, 2024 • edited Loading

Misc Checklist

Testing

zorgiepoo commented Nov 25, 2024 •

edited

Loading