Decrease startup delay by skipping Java online Certificate Revocation Lists check #14
Conversation
… Lists check Decrease startup delay by skipping online Certificate Revocation Lists check This PR will decrease the offline startup time by 5-10 seconds
| echo "Test jar complete" | ||
|
|
||
| ICON=$NAME.ico | ||
| magick convert SourceIcon.png -resize 256x256 your_image_256.png |
There was a problem hiding this comment.
It's not used anymore in current versions.
$ magick convert SourceIcon.png -resize 16x16 your_image_16.png
WARNING: The convert command is deprecated in IMv7, use "magick" instead of "convert" or "magick convert"
$ magick SourceIcon.png -resize 16x16 your_image_16.png
[NO WARNING ANYMORE]
| --app-version $VERSION \ | ||
| --java-options '--enable-preview' | ||
| --java-options '--enable-preview -Dcom.sun.net.ssl.checkRevocation=false -Djava.security.revocation=false -Djava.security.egd=file:/dev/./urandom' |
There was a problem hiding this comment.
I had to read up on the ssl checkRevocation flag and this turns the installer into an arbitrary code executing from network download back-door. I want the code to load faster too, but with the number of people using it, we need to be mindful of the security of the users too.
There was a problem hiding this comment.
Note that this revocation flag was already set to false, but for some reason the line is doubled at the end, I just fixed this issue by setting the second line to the correct address. Here is the current configuration (CaDoodle.cfg)
[Application]
app.classpath=$APPDIR\CaDoodleUpdater.jar
app.mainclass=com.commonwealthrobotics.Main
[JavaOptions]
java-options=-Djpackage.app-version=1
java-options=--enable-preview
java-options=-Dcom.sun.net.ssl.checkRevocation=false
java-options=-Dcom.sun.net.ssl.checkRevocation=false
|
Hmm, this change is rather concerning. It would allow a man-in-the-middle attack to replace the requested jar for theoretically any jar file from anywhere, and providing an arbitrary code execution via a network attack. A user on an unsecured network that opens CaDoodle could be served a malicious jar from a spoofed URL and it will simply execute it without any checking. I rely on the SSL layer to ensure the jar the installer runs is the jar that i published to github. |
|
A better way to approach this might be to add a check box to the installer splash screen that lets the user pin the version to the current version. you could simply write a pin file when checked, erase it when unchecked, and on loading, check for its existence before attempting any network activity. that way it will bypass the network connection entirely and just use whatever version is already installed. |
Remove another deprecate "convert"
The revocation check happens when the JVM starts, it's basically a parameter for the In the ideal case the updater does all the needed downloads, then the main application can always start fast without the revocation check. The user can choose to start the updater or the application directly, that would be nice an clean. |
2 participants
Decrease startup delay by skipping online Certificate Revocation Lists check.
This PR will decrease the offline startup time by 5-10 seconds
Reference: #100