AppCenter compatibility with DSA signatures

[anti-matter]

I'm using the latest preview release as of this writing and am trying to use NetSparkle with AppCenter. Additionally, I'm trying to use DSA signatures but am running into an issue where NetSparkle expects there to be a .signature or .dsa file for the appcast.xml file verification.

I assume I can get this working by writing custom signature verifier and parser, but am wondering if this is the correct approach before I get too far.

Thank you!

[Deadpikle]

Hi @anti-matter! :) I'm a little unfamiliar with AppCenter, so bare with me.

Well, that's one way to do it. The software is trying to verify that the app cast that was downloaded can be verified. I'm guessing app center doesn't have a separate .dsa or .signature file to verify the app cast, so, you can try one of two things:

1. Use SecurityMode.UseIfPossible (https://github.com/NetSparkleUpdater/NetSparkle/blob/develop/src/NetSparkle/Enums/SecurityMode.cs#L21). Now that I'm sitting here writing and thinking about it, in theory that will work, but in practice I haven't tested this in a long time, so YMMV.
2. Instead of writing a custom signature verifier/parser, use a custom IAppCastHandler instead. Easy mode: copy+paste this file and tweak it so it doesn't grab/verify the .signature or .dsa file download since you don't have those. You'll have to set SparkleUpdater.AppCastHandler to your custom object.

If you get it working, please come back here and comment about how you did it -- I'd love to have documentation readily available for AppCenter users!

[anti-matter]

Thanks @Deadpikle for the quick response. With SecurityMode.UseIfPossible is still expects to find a .signature / .dsa file. I will implement #2 and report back here.

[PeterJarrettUK]

We use Netsparkle with Appcenter and in the end we settled on just using SecurityMode.Unsafe as that was the only way it would work.

There is documentation from appcenter of how to create a dsa but its really complex and requires a bunch of api calls every time you upload a new build , and in the end we settled on trusting appcenter to be secure enough for our purposes 🙂

[Deadpikle]

Thanks @Deadpikle for the quick response. With SecurityMode.UseIfPossible is still expects to find a .signature / .dsa file. I will implement #2 and report back here.

If SecurityMode.UseIfPossible isn't working here, that's probably a bug. Thank you for finding that issue. I will get to it when I can.

Thanks also @Mostlypyjamas for your response and input!

[anti-matter]

Following up on this. Using a custom IAppCastHandler was the ticket. Main piece is to replace the DownloadAndParse() method from the standard in-box handler. Below is an example.

        public bool DownloadAndParse()
        {
            try
            {
                _logWriter.PrintMessage("Downloading app cast data...");

                var appcast = _dataDownloader.DownloadAndGetAppCastData(_castUrl);
                if (!string.IsNullOrEmpty(appcast))
                {
                    ParseAppCast(appcast);
                    return true;
                }
            }
            catch (Exception e)
            {
                _logWriter.PrintMessage("Error reading app cast {0}: {1} ", _castUrl, e.Message);
            }

            return false;
        }

All this does is eliminate the dsa check on the appcast.xml file.

[Deadpikle]

Thanks for following up. I really appreciate it. I have added a checklist item to #89 to remind me to look here when doing documentation updates as well as a note in #61 to look at SecurityMode.UseIfPossible and fix that up.