Issue 92489 - Online update must verify package signatures
Summary: Online update must verify package signatures
Status: CLOSED DUPLICATE of issue 119017
Alias: None
Product: Installation
Classification: Application
Component: code (show other issues)
Version: OOo 3.0 Beta 2
Hardware: All All
: P3 Trivial (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords:
: 101217 (view as issue list)
Depends on:
Blocks:
 
Reported: 2008-08-05 17:27 UTC by malte_timmermann
Modified: 2018-08-04 16:47 UTC (History)
9 users (show)

See Also:
Issue Type: FEATURE
Latest Confirmation in: ---
Developer Difficulty: ---


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description malte_timmermann 2008-08-05 17:27:31 UTC
Before executing any downloaded binaries, make sure it's really a genuine OOo
installation package.

See also http://blogs.sun.com/malte/entry/evilgrade_and_openoffice_org
Comment 1 malte_timmermann 2008-08-05 17:33:35 UTC
OOo 3.1 possible?

Lightweight solution:
If infrastructure for certificates is too complex, it would also be OK to get
some encrypted hash value from the update server, and use the known public key
to decrypt it, with some verification. 
Maybe a list of different public keys, since packages are provided from
different people, who would have to encrypt the hash value with their private key.
Comment 2 Olaf Felka 2008-08-05 17:50:54 UTC
That's a defect? I see it as a new requirement. It has not been a requirement
for Online Update so by now, it works as designed.
Comment 3 joachim.lingner 2008-08-14 08:31:46 UTC
Using this approach means that one relies on keeping the private keys secret for
all times (or maybe until the next release). The advantage of using a
certificate infrastructure is that compromised private keys can be notified to
the user via certifate revocation lists or OCSP responses.
Comment 4 kai.sommerfeld 2008-08-25 15:07:02 UTC
This is actually a feature.
Comment 5 stp 2008-10-17 14:37:14 UTC
When spec'ing this please think of community builds also.
Comment 6 dirk.voelzke 2008-12-09 14:08:19 UTC
Set target to 3.x 
Comment 7 dirk.voelzke 2010-02-15 14:13:07 UTC
Accepted.
Comment 8 oooforum (fr) 2018-08-04 16:28:30 UTC
*** Issue 101217 has been marked as a duplicate of this issue. ***
Comment 9 oooforum (fr) 2018-08-04 16:47:24 UTC
Since AOO, jump to this new issue

*** This issue has been marked as a duplicate of issue 119017 ***