Uploaded image for project: 'Qt Installer Framework'
  1. Qt Installer Framework
  2. QTIFW-461

Consider signing updates.xml to prevent malicious updates

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • P2: Important
    • None
    • 1.5.0
    • General
    • None

    Description

      We currently fully trust the Updates.xml that we fetch from the remote server. This could make it easy to let a user unconsciously install tainted packages/updates from an attacker that managed to manipulate the local network.

      A possible counter-measure would be to verify the server/Updates.xml, either through https certificate verification, or through signing Updates.xml with a cryptographic key.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            installerteam Installer Team
            kkohne Kai Köhne
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes