kjullion
Posts: 176
Joined: Mon Nov 11, 2013 9:02 pm

blocking tampered auto-updates from installing?

Fri Dec 17, 2021 4:26 pm

Hi,
I thought that by using the "Compute MD5 signature from file" in the Updates Config projects and digitally signing our Setup exe that we would be able to prevent someone from maliciously tampering with the auto-update process.

But, I think in my tests I have proved two things which surprised me, and we need to find an alternative for.

A) I changed the MD5 value to a bogus value so that it doesn't match the md5 sig of the actual Setup exe, and this didn't affect anything. The auto-update occurs and no MD5 difference is noticed.

B) I posted a one-off non-signed Setup exe as the auto update exe and the fact that it wasn't signed was not caught by AI, or by Windows Installer technology.

Are these findings correct/consistent with what AI experts would expect? If so, how do we force the auto-update process to a) require that the digital signature of the posed setup exe file is checked against the value stored in the AIU file, and b) require that the Setup exe used by the updater must be signed, and presumably that cert. should match the one already installed on the user's machine (thus honoring the non-elevated install technology).

Thanks,
Kevin

Catalin
Posts: 6541
Joined: Wed Jun 13, 2018 7:49 am

Re: blocking tampered auto-updates from installing?

Mon Dec 20, 2021 12:15 pm

Hello Kevin,

In order to install only digitally signed updates, please follow the steps presented in the following article:

How to install only digitally signed update packages

Regarding the MD5 issue, I am not quite sure why that happens. A possible cause could be this:
The "Compute MD5 signature from file" option is ignored when the "Compute SHA256 signature from file" is enabled.
When "Compute SHA256 signature from file" and "Compute MD5 signature from file" options are both enabled the MD5 signature is checked only when you are running an older version of Advanced Installer Updater (that didn't had support for SHA256 signature checks). Otherwise only the SHA256 signature check is done.
as explained in the following article:

Update Installer Tab

Hope this helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

kjullion
Posts: 176
Joined: Mon Nov 11, 2013 9:02 pm

Re: blocking tampered auto-updates from installing?

Mon Dec 20, 2021 6:09 pm

Ok, thanks for the two links. We've now enabled the "Install only digitally signed update packages signed with the same certificate as the Updater" setting and that seems to be working as expected. Only digitally signed auto-update Setup files are allowed to succeed in the process. But, we still haven't found a solution which deals with the MD5 value possibly not matching between the one recorded in the AIU file and the actual MD5 hash of the file to be installed.

Before writing you our AIU file was only recording the MD5 hash, but going forward we want to use the SHA256 hash and confirm that that is checked for integrity / match before an auto-update is allowed to proceed. We understand that if both hash values are stored, on the SHA256 one is checked, which is fine, but we want to be sure that it works in the way in which we assume it works.

Thank you!

Catalin
Posts: 6541
Joined: Wed Jun 13, 2018 7:49 am

Re: blocking tampered auto-updates from installing?

Tue Dec 21, 2021 9:16 am

You are always welcome, Kevin!

Glad to hear everything is working as expected now.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

kjullion
Posts: 176
Joined: Mon Nov 11, 2013 9:02 pm

Re: blocking tampered auto-updates from installing?

Tue Dec 21, 2021 3:21 pm

Actually we do still have a question: it is about the MD5 and SHA2565 hash values. We would like it so that our auto-update installation doesn't succeed if the hash value in the AIU file does not match the hash of the file to be installed. But our testing of this so far has shown that (when we were using MD5, that if the hash value was tampered with in the AIU file, and it therefore was a mismatch of the file to be installed, then the auto=updated would still succeed...we believe it should not succeed.

We prefer to use the SHA256 hash going forward since that is (we assume) likely to be more secure than the MD5 hash.

kjullion
Posts: 176
Joined: Mon Nov 11, 2013 9:02 pm

Re: blocking tampered auto-updates from installing?

Wed Dec 22, 2021 3:19 pm

Check that, we are Ok now that we have the SHA256 enabled. I tampered with the SHA256 hash signature in the AIU file and that caused our auto-updates to fail, which is good...that is what we were hoping for.

Catalin
Posts: 6541
Joined: Wed Jun 13, 2018 7:49 am

Re: blocking tampered auto-updates from installing?

Wed Dec 22, 2021 4:37 pm

Hello Kevin,

Thank you for your followup on this!

I am glad to hear everything is working as expected now.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”