Post Reply
agwin
Posts: 9
Joined: Mon Apr 22, 2024 6:44 pm

Secure Updater Options

We're investigating ways to secure our installation/update files using Advanced Installer. We are going to be hosting our initial installer in an S3 bucket that users will download via an AWS S3 Signed Url. I'd like to use the same sort of security during updates, but I'm only seeing the option of username:password as part of the "Updates configuration file URL" like so:

Code: Select all

http://<username>:<pwd>@www.myurl.com/<client>/downloads/setup.exe
Is this the ONLY means by which the updater process can access secure files?

I have an idea I wanted to run by support.... Could I change the configuration file URL to access an API that would serve up a configuration file that is constructed at request time? The API would be responsible for generating the signed S3 url and returning it inside the config file.

Thanks in advance.
Catalin
Posts: 7513
Joined: Wed Jun 13, 2018 7:49 am

Re: Secure Updater Options

Hello,
Is this the ONLY means by which the updater process can access secure files?
Currently yes.
I have an idea I wanted to run by support.... Could I change the configuration file URL to access an API that would serve up a configuration file that is constructed at request time? The API would be responsible for generating the signed S3 url and returning it inside the config file.
To be honest with you, I do not think this will work. However, we can try and test this.

If it doesn't work, could you please elaborate a bit on this approach that in your vision will be secure? I will need this to run it by our dev team and maybe we can improve our current support.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
agwin
Posts: 9
Joined: Mon Apr 22, 2024 6:44 pm

Re: Secure Updater Options

Sorry for the delay @Catalin. After some thought, and realizing there's no way to 100% secure the update process, we decided that we're going to go with a more simple, scaled back process where the MSI is secured, and we put a long lived Cloudfront signed URL into our configuration file on our server. The updater will use the signed URL to download updates instead of a completely public file.

Not totally secure, but seems there's not really any way to accomplish that right now. Thanks.
Catalin
Posts: 7513
Joined: Wed Jun 13, 2018 7:49 am

Re: Secure Updater Options

Hello,

Thank you for your followup on this and for sharing the solution with us!

I'm sure this will be of help for further users facing a similar scenario.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Post Reply

Return to “Building Installers”