Best Practices For Installation Packages, Updates, Plugins Download
Publish date: Mar 10, 2023
Applications often need to download installation packages such as RPM bundles, obtain and perform regular updates from remote servers, or allow fetching and installing plugins to extend functionality.
It is advisable to avoid security issues by following some best practices.
Best Practices for Distribution
- Use a well known HTTPS server for distribution with properly generated TLS certificates
- Create a signed manifest including following information and distribute with the package files.
- Use versioning
- List all other files individually alongwith integrity information such as a strong hash e.g. sha256
- Sign the manifest file. It can be an adjacent .sig file, or canonicalization can be used to create manifest with embedded signature.
- Ensure public key for signature verification is published at a safe location e.g. a known HTTPS website or bundled with clients. Don’t store it next to the signed manifest.
Best Practices for Clients
- Use TLS with proper cert verification to download the packages from a known location.
- Perform signature check on the manifest using bundled/safely-obtained public key.
- Perform integrity check for all files from the manifest.
- Avoid TOCTOU issues during integrity/signature verification and actual use.
- Avoid Directory traversal especially for zip/tar expansion issues
- If using a temporary location, create safe directory safely
- Avoid using a high privileged user such as root for this process