Add support for DSA signed updates about winsparkle HOT 7 CLOSED

I'm leaning towards verifying Authenticode signatures instead (or in addition to DSA). Sparkle is moving in that direction already, so it seems a bit pointless to adopt a to-be-obsoleted scheme now:

sparkle-project/Sparkle#48
sparkle-project/Sparkle@21f9546

from winsparkle.

Do you have a timeline of when you'll be supporting verifying Authenticode signatures?

from winsparkle.

No, I don’t (seriously? In OSS?). One thing that would definitely speed things up, though, would be contributions...

from winsparkle.

Slightly related question: Does WinSparkle support downloading the xml from https:// but only if ssl cert is okay?
I couldn't find any mention about this about the doc, but either executable signature checking or https xml fetching seems to be a minimum for not opening a backdoor on user's machine.
Thank You for the quick answer, and the awesome work so far!

from winsparkle.

related

That word doesn’t mean what you think it means. Please don’t post completely off-topic comments like this.

Does WinSparkle support downloading the xml from https:// but only if ssl cert is okay?

You have the code at your disposal, why don’t you verify it yourself and if there’s any issue, submit a patch?

for the quick answer

This is a volunteer, community project, please don’t treat it as a commercial offering with support. Instead, contribute — even if it’s “only” information or documentation improvements.

from winsparkle.

I think it's not off topic at all. The same people who think they need DSA signed updates might just be satisfied with https based xml download.
Anyway, looking into the code, it uses InternetOpenUrl(), which is not very well documented in this regard, but trying it out (see http://stackoverflow.com/questions/29545544/is-internetopenurl-function-on-windows-secure-enough-if-not-how-to-make-it-str/29576201#29576201), it seems that it indeed checks https validity by default. So the answer to my own question is yes.

from winsparkle.

I think it's not off topic at all.

This issue is for tracking support for DSA signatures. You ask a question about validation of certificates, which is something that has zero overlap with the issue’s subject, technically or thematically. You are off topic by definition. By your the-same-people logic, anything about WinSparkle would be on-topic in any issue...

from winsparkle.