Community
    • Login

    autoupdater and XMLDSig

    Scheduled Pinned Locked Moved Security
    4 Posts 2 Posters 59 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scottgshin
      last edited by

      Years ago, I incorporated the N++ wingup ability into my program and have been using it sucessfully. Thank you. I am trying to update it to the latest version to bring in the security that have been added but am having trouble getting my XML to pass the wingup testing.

      I have signed my XML file, but must being doing it wrong. Is there documentation on how to sign the XML file that is read from the update URL by the autoupdater?

      I have a code signing certificate for my application and it is already signed, but signing XML is new to me and I am unsure if I should be using the same certificate to sign the XML.

      My signed XML has the same format used by N++, but the generated signature does not match wingups tests.

      Any help is appreciated.
      Thanks,
      Scott

      PeterJonesP 1 Reply Last reply Reply Quote 0
      • PeterJonesP
        PeterJones @scottgshin
        last edited by

        @scottgshin ,

        Which version of the WinGUp code are you using? (there used to be a non-Notepad++ version of WinGUp and the fork specific to Notepad++ – the generic version ceased updates years ago, and was officially marked as deprecated a few months ago, so now the Notepad++ variant is the only one remaining).

        I have signed my XML file … signing XML is new to me

        I’m not sure it’s really the XML file that is signed. I think it’s that the XML returned from the server should contain the signature information for the installer.

        Looking at the results from the Notepad++ website’s XML response,

        <GUP>
<NeedToBeUpdated>yes</NeedToBeUpdated>
<Version>8.9.3</Version>
<Location>https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.9.3/npp.8.9.3.Installer.exe</Location>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>jSgsmy+aPWcILjwrUwhygzblV03okICYznvdkTIS5ps=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>KFtFhj1WimJmwgevwomjHzyICr2BKiG2KO6jU5QSTQ58OHKg0WbMxCJ0wraKiVqYZUea9ogaLtvPkrSQVi+lW9HGLNPuKBGnKtvBfFiVooAtHoVRCx8Xz9uiIyTQpCnMjD8YDnHQCbcg+hRFxcsUbzcftm9y+S1U0JdgKCPssIVVYDplzhCmQgMLdZvMpxt5fxX80+93uHXkb7MTL9JuzdQCoezDu/p1c6bPu6LNB9jKXrhMlG4HrBoIqzzA4p4LAO+OmLR7Yw57beUKOytvjd6jr2ayK/0Ut981rWFkaXlfdRGG5TTzvjKBB6ZAY7f9Qzup59U/tjf52511boeIkpvNEyJhQqAp6p5pMvaoZLif2DENMNH7Bi4tYaC0k4o1qgxDseQODSCzjNmgbTJ0HjJgEpPpVIyLLQuRcgqZVR3jvtDVdPUMiyM+KvPGxydGo64gGktJSTVGPOX6PaYOxvVlv8C+uQFqkKRFUFMZH4t6ur3Rz51wS9Wdq4m7WY665IIn8niYG+6GLdAn0N0WltuH4Jpdc7nqE2wnFmcMxYUNKRdX2U/jY9H5PELs5Cdx6m7VlfHkWT26/cy6ImKmx5Ytref4x/Se4KWYiI6Xm9zY5d2SQ61FDf/yQ0ZGsbumobvUAnaNd3PAstxDtjBrY/2ZiEnOv/Q8WKKMzND09VE=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIHKDCCBRCgAwIBAgIMBfDYE9am8ARXWiCZMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS8wLQYDVQQDEyZHbG9iYWxTaWduIEdDQyBSNDUgQ29kZVNpZ25pbmcgQ0EgMjAyMDAeFw0yNTEwMDkwOTM4NTVaFw0yODEwMDkwOTM4NTVaMHwxCzAJBgNVBAYTAkZSMRcwFQYDVQQIDA7DjmxlLWRlLUZyYW5jZTEOMAwGA1UEBxMFUGFyaXMxEjAQBgNVBAoTCU5PVEVQQUQrKzESMBAGA1UEAxMJTk9URVBBRCsrMRwwGgYJKoZIhvcNAQkBFg1kb24uaEBmcmVlLmZyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2oeoYcRL1cmLFUk38cb2S8PodvlDI489Mic3EjAsBbOSw30Y9KB/q3aXT/Qmm9+s2rY+cepToJhNTN1SQsEQJ22CZdbNzO/2A4r8IuwpryHx0JHoDVYQ+7BvQlP5sXnjgoo8+23YSAQYNZKFX9c3zKRgD6AndamtgMB7wRBDRsyz0IwH4cI+0K4irlmpXU54sT3VNzocYn7t7OpZY6jZspxYMnWhWkoX5LkZQwuHgr1gbWOv4shd8bMl6fY9MUzT65+z3Sst3Oh9b1SgfuPnmfbYufVw6/kTsiLYLuwB4eAgIrRlqq/E/WHKbstgH5VW5eKn+Eyw+bJ/FDuEO3e301KE+w9GB9UwuuQeWoMWQLYks4AF9h4cPjgmmQ4tvefDhKNGDW5vqvHKU/e2zC2qewWcgMuDP70ylzRpjz5cJvMdYYbyekFjlLqaJA8Sf9FzueFrm8VpdcfYNX7k5et7L68Ic2pLT8vYqa7hTd9+1zB9uJsKMjNIgAoFju5YpOMdHlVVI9bYQvPOcydeputamhStz+zey/XN/OsTSrOnqXeyuuKj6mljyECo+WujAkGoMTx9S9iAB7BZ/h2ffyJp/dEMFDZbCnbh+gMNApWAA0xp9d5VaogwPtFd5/ZV/LQCa6x5tCgogbaCQyoCfssc7PasYym5zyjOdI4ndig0b/UCAwEAAaOCAcswggHHMA4GA1UdDwEB/wQEAwIHgDCBmwYIKwYBBQUHAQEEgY4wgYswSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzZ2NjcjQ1Y29kZXNpZ25jYTIwMjAuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc2djY3I0NWNvZGVzaWduY2EyMDIwMFYGA1UdIARPME0wQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATAJBgNVHRMEAjAAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNDVjb2Rlc2lnbmNhMjAyMC5jcmwwGAYDVR0RBBEwD4ENZG9uLmhAZnJlZS5mcjATBgNVHSUEDDAKBggrBgEFBQcDAzAfBgNVHSMEGDAWgBTas43AJJCja3fTDKBZ3SFnZHYLeDAdBgNVHQ4EFgQUzA2UkizaOhin0oYThSWvnDlC6ecwDQYJKoZIhvcNAQELBQADggIBAGcMo3PGwzKgYIrZM3FMgbJgV47RVdLATPmHDzoWUIlo7Myx6eAzZJsz8LThDcQy3N7nHBiAdfbUaeY3wb0q5d2bFgvIC8VhZ0n4mFK7V8iJJmY2fJvODBf8hLh45TcNYIkgQ5MnwAKxUC8+OZZQ/MUSlGJUC10lcy+fRlPRQZSCxvnRNaiKNTXMj5Ih7d7hOO0ES0lralPIGnSUTTfCxyW0405lJkbZMC4ziAarRmmZVTchyzcmPK4FQc285d2fUBpec8Mwr5TNIk+QYtt/cZlTPodE/QPGCRYP670Gq0VOSv1Qp4tcyZrezL06CI81hyabez8FKpjhLxDwnBv237ZUm6tCd4izq6pcSSM46xvrYoIEuqXv8JQ/NUI92jWbKTlSmyAHzuay2QCxnc/YXhPOmHV6BeYcv5gkg0GpUomnBZ5vQ8dLJBjjsC+v1T9DgmmugDgaswLNsSY3pJMwuE3k2l97REP44IgyeTD/DW6p83z9qaY1bVdDqqTWgMot0wViJlIUCWMRy+jUZNzMVdySfnjYVY6UAdpTlC17toFkGFwsCeShKwrSlVfmRijelJQf5MPE0+YKw/gnvWUcRDwXmhsvHcAaWPGCyfpa8lz7vdYHez1QER7H+mKaV0SqRLxLg3QKiBXXI2hxOeYMuhmNQvXfEUPaiwq3sCZ8GL5F</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</GUP>

        The <SignatureValute> has to be the signature of the installer (because it cannot embed its own signature in the XML… or, rather, generating the 256 bit signature that would match the contents of the XML with that same 256 bit signature embedded is computationally expensive and impractical with today’s hardware). So I would interpret the phrase “signed XML” mentioned in the image at https://wingup.org/how/ as “XML that contains the installer’s signature”.

        I don’t know of any regular here who has made use of WinGUp for their own project (though maybe I just don’t remember, or they just haven’t mentioned it)… but if no one else chimes in over the next few days, I would recommend going to https://github.com/notepad-plus-plus/wingup/issues and ask Don to better document how to generate that <Signature> portion of the XML in the WinGUp README (or a separate document)… because, yeah, if it’s intended that other applications can use WinGup for doing their updates, the process of getting the “signed XML” should be better explained.

        1 Reply Last reply Reply Quote 0
        • S
          scottgshin
          last edited by

          I am using the latest version of N++ wingup (5.4.1.) and its testing the XML returned by the query to verify that its valid before using the NeedToBeUpdated, Version, and/or Location information. If the XML signature passes then it downloads the file from the Location tag and tests its signature. I haven’t been able to get my code to get past the XML signature check. I have a program written to generate the XML signing, that I can share which uses my own code signing certificate. I was hoping that someone familar with how N++ is doing the XML signing could point me in the correct direction or add the code to the N++ project.

          PeterJonesP 1 Reply Last reply Reply Quote 0
          • PeterJonesP
            PeterJones @scottgshin
            last edited by PeterJones

            @scottgshin ,

            I have not used gup aside from thru Notepad++, so I don’t know any more details.

            The best advice I have is to wait a few more days and see if anyone else here chimes in (there are a few people here who probably understand the process that Don implemented better than I do, who were more involved in the security discussions around it). But if no one does, then creating an issue at the WinGUp repo, to request that the process be better documented would be a good idea.

            I would recommend asking for both how to get the information for the <Signature> block in the XML and for how to get the server to generate the signature for the XML. If I’ve understood your reply correctly, you seem to have figured the signature-inside-XML portion out; however, even if you have, I don’t know that everyone who wants to use gup for their own project will have figured it out. I think that both need to be documented, otherwise gup isn’t really usable by anyone except Notepad++ anymore – so if you’re asking for one part, asking for both would be better.

            (If you do create the issue, make sure to reply here with a link to the issue, so that people who find this discussion can track what the status is of the request.)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            The Community of users of the Notepad++ text editor.
            Powered by NodeBB | Contributors