Skip to content

Instantly share code, notes, and snippets.

@paragonie-scott

paragonie-scott/auto-update.md

Last active March 7, 2017 22:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save paragonie-scott/d5b08f7b4e0035562c7bfc364898f426 to your computer and use it in GitHub Desktop.
Save paragonie-scott/d5b08f7b4e0035562c7bfc364898f426 to your computer and use it in GitHub Desktop.
Download ZIP
PHP Auto Update Quick Start
Raw
auto-update.md

This is a more "how" to the "what": https://paragonie.com/blog/2016/10/guide-automatic-security-updates-for-php-developers

HTTPS + Digital Signatures

This is a minimalistic secure auto update approach.

  1. Make an API call to a server to get the latest version information. This should be delivered over HTTPS, possibly with HPKP.
  2. If an update is available, the client software should download the update file.
  3. An Ed25519 signature should be available, either as a separate API call or as an HTTP header with the downloaded file.
  4. Verify that the signature is valid for one of the hard-coded Ed25519 public keys.
  5. If everything is good, install the update file. (This can mean replacing individual files or applying a git patch.)

This doesn't mitigate against signing key theft.

Secure Code Delivery

  • In addition to everything in the previous section, you'll need to maintain a Merkle tree that contains the BLAKE2b hash of every single update file ever released.
  • Between code update checks, periodically update the tree:
    1. Request new updates from the API server.
    2. Calculate the new Merkle root for the new batch of updates.
    3. Verify that a random selection of your peers see the same Merkle root.
    4. If they see a different one, discared the updates. Otherwise, commit them to your local copy of the Merkle tree.
  • Each update record should include metadata (date/time, version information) as well as the BLAKE2b hash of each update file.
  • When a new code update is available, you only need to check that the BLAKE2b hash of the update file is present in the Merkle tree, and that the metadata (version information) is what you expect.

High-Availability

In addition to everything above, you may want to have more than one API server that you can connect to for updates.

Furthermore, streaming all update information over a protocol like BitTorrent may be desirable as well. This is the part of the solution that hasn't been developed fully because DDoS attacks against update infrastructure are rare and relatively short-lived.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment