NewsArchive
06-06-2012, 06:46 AM
You might or might not have noticed the following (still undocumented)
improvement in the last SetupBuilder 7.7 maintenance build:
---
IMPROVEMENT: Installer: Add an experimental "Get Trust (Code-sign)" option
to the "Get File Information..." script function.
---
Background: Software product deployed with SetupBuilder to a very large user
base. Web Update is used to bring the software to the latest version
(live-update functionality). The full and the web update install images are
code-signed. If a new version is available, the Web Update client downloads
and launches the update.
IT security specialists analyzed the companies' update strategy for
potential vulnerabilities and reported that the company needs to be prepared
for the following type of action: an attacker gets control over the
companies web update server and redirects the traffic to an external server
to download and execute malicious code (which is very unlikely, but in
theory, it's possible).
Previous SetupBuilder versions already provided a "Verify Trust
[Code-signature]" function that lets you retrieve the code-sign status of a
downloaded file. But the WinVerifyTrust Windows function can only ensure
that a binary is signed by some key that is part of Microsoft's chain of
trust.
So we have added a new "Get Trust [Code-signature]" function that lets you
optionally perform the Authenticode verification AND retrieve code-signing
certificate specific information to ensure the update install image was
signed by your private key (e.g. based on the serial number or the
code-signing certificate issuer name). This function allows you to build a
customized wupdate.exe (or wucheck.exe) and check whether a downloaded web
update installer package is code-signed with a specific code-signing
certificate before the update process begins. Or you can display the issuer
name and let the user decide what to do, etc.
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
SetupBuilder is Windows installation -- "point. click. ship"
-- Official Comodo Code Signing and SSL Certificate Partner
improvement in the last SetupBuilder 7.7 maintenance build:
---
IMPROVEMENT: Installer: Add an experimental "Get Trust (Code-sign)" option
to the "Get File Information..." script function.
---
Background: Software product deployed with SetupBuilder to a very large user
base. Web Update is used to bring the software to the latest version
(live-update functionality). The full and the web update install images are
code-signed. If a new version is available, the Web Update client downloads
and launches the update.
IT security specialists analyzed the companies' update strategy for
potential vulnerabilities and reported that the company needs to be prepared
for the following type of action: an attacker gets control over the
companies web update server and redirects the traffic to an external server
to download and execute malicious code (which is very unlikely, but in
theory, it's possible).
Previous SetupBuilder versions already provided a "Verify Trust
[Code-signature]" function that lets you retrieve the code-sign status of a
downloaded file. But the WinVerifyTrust Windows function can only ensure
that a binary is signed by some key that is part of Microsoft's chain of
trust.
So we have added a new "Get Trust [Code-signature]" function that lets you
optionally perform the Authenticode verification AND retrieve code-signing
certificate specific information to ensure the update install image was
signed by your private key (e.g. based on the serial number or the
code-signing certificate issuer name). This function allows you to build a
customized wupdate.exe (or wucheck.exe) and check whether a downloaded web
update installer package is code-signed with a specific code-signing
certificate before the update process begins. Or you can display the issuer
name and let the user decide what to do, etc.
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
SetupBuilder is Windows installation -- "point. click. ship"
-- Official Comodo Code Signing and SSL Certificate Partner