Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign channel metadata to enforce release channel name #7

Open
thestinger opened this issue Jul 6, 2019 · 1 comment
Open

sign channel metadata to enforce release channel name #7

thestinger opened this issue Jul 6, 2019 · 1 comment
Labels
enhancement

Comments

@thestinger
Copy link
Member

thestinger commented Jul 6, 2019
edited
Loading

After the zip is verified, the metadata is verified against it to make sure that it was accurate. However, it would be nice to have offline signing of the update channel metadata in a way that enforces the channel name. At the moment, if an attacker takes over the server, they can't do much, but one thing they could do is move the current beta release into the stable channel.
@thestinger
Copy link
Member Author

The channel name is now in the metadata but this probably should have included the device name too so we'll need to add another field with the device name. Essentially, it needs to have the file name (DEVICE-CHANNEL) in the metadata.

This was referenced Apr 29, 2021
Closed
Closed
@thestinger thestinger changed the title put channel name in metadata and sign it sign channel metadata to enforce release channel name Jul 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support metadata signature verification using otacerts.zip inthewaves/platform_packages_apps_Updater
1 participant
@thestinger