[quake3-commits] [ioquake/ioq3] ece37f: Initial add of rsa_tools.

Zachary J. Slater zjs at zacharyjackslater.com
Sun Jun 11 03:00:53 EDT 2017


  Branch: refs/heads/master
  Home:   https://github.com/ioquake/ioq3
  Commit: ece37f13905ca39e028c13be372fc79eae87639a
      https://github.com/ioquake/ioq3/commit/ece37f13905ca39e028c13be372fc79eae87639a
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-03 (Sat, 03 Jun 2017)

  Changed paths:
    A code/autoupdater/rsa_tools/build-libtom-unix.sh
    A code/autoupdater/rsa_tools/build-rsa-tools.sh
    A code/autoupdater/rsa_tools/rsa_common.c
    A code/autoupdater/rsa_tools/rsa_common.h
    A code/autoupdater/rsa_tools/rsa_make_keys.c
    A code/autoupdater/rsa_tools/rsa_sign.c
    A code/autoupdater/rsa_tools/rsa_verify.c
    A code/autoupdater/rsa_tools/test-rsa-tools.sh

  Log Message:
  -----------
  Initial add of rsa_tools.

This is just a simple RSA public key digital signature thing built on
libtomcrypt. The gist:

Some admin will generate a public/private key with rsa_make_keys, keeping the
private key secret. Using the private key and rsa_sign, the admin will sign
the autoupdater manifests, generating manifest.txt.sig.

The public key ships with the game (adding 270 bytes to the download), the
.sig is downloaded with the manifest by the autoupdater (256 bytes extra
download), then the autoupdater checks the manifest against the signature
with the public key. if the signature isn't valid (the manifest was tampered
with or corrupt), the autoupdater refuses to continue.

If the manifest is to be trusted, it lists sha256 checksums for every file to
download, so there's no need to sign every file; if they can't tamper with the
manifest, they can't tamper with any other file to be updated since the file's
listed sha256 won't match.

If the private key is compromised, we generate new keys and ship new
installers, so new installations will be able to update but existing ones
will need to do a new install to keep getting updates. Don't let the private
key get compromised. The private key doesn't go on a public server. Maybe it
doesn't even live on the admin's laptop hard drive.

If the download server is compromised and serving malware, the autoupdater
will reject it outright if they haven't compromised the private key, generated
a new manifest, and signed it with the private key.

libtomcrypt is sort of a big pile of source code, so instead of putting it
in revision control, we have a script to download it. Most things don't need
it. It lives on GitHub, so we _could_ do a git submodule, but most people
don't need it, so why waste their disk and bandwidth? That said, when compiled
you end up with a few hundred kilobytes of binary code to verify a signature
and no external dependencies, so it seems like a win.


  Commit: 7542966e3360ab994972f9d3db5aac8a3edec06d
      https://github.com/ioquake/ioq3/commit/7542966e3360ab994972f9d3db5aac8a3edec06d
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M code/autoupdater/rsa_tools/build-libtom-unix.sh

  Log Message:
  -----------
  Verify libTom source archives aren't tampered with.


  Commit: 62f6f0c7e0be4bcd6dc45631fc8cf6350168a281
      https://github.com/ioquake/ioq3/commit/62f6f0c7e0be4bcd6dc45631fc8cf6350168a281
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M Makefile
    M code/autoupdater/rsa_tools/build-libtom-unix.sh
    M code/autoupdater/rsa_tools/build-rsa-tools.sh

  Log Message:
  -----------
  Wire up libTom stuff to build system.


  Commit: f71260eb8c5287761f1f2c15b74d64f65a04fe6e
      https://github.com/ioquake/ioq3/commit/f71260eb8c5287761f1f2c15b74d64f65a04fe6e
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M code/autoupdater/autoupdater.c
    R code/autoupdater/sha256.c
    R code/autoupdater/sha256.h

  Log Message:
  -----------
  Replace sha256.c with libTomCrypt equivalent, since we'll be using it anyway.


  Commit: e04bfd49676b5ed88abc930befb7724c171abb35
      https://github.com/ioquake/ioq3/commit/e04bfd49676b5ed88abc930befb7724c171abb35
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M code/autoupdater/autoupdater.c

  Log Message:
  -----------
  Autoupdater now checks RSA digital signature for manifest.


  Commit: ced74370426e63d751ee64ed46cec9f6d1ac7eb9
      https://github.com/ioquake/ioq3/commit/ced74370426e63d751ee64ed46cec9f6d1ac7eb9
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M autoupdater-readme.txt

  Log Message:
  -----------
  Updated autoupdater-readme.txt with manifest signing details.


  Commit: 06cc3a4e1bfcb3f2936ef5f4f0fec4aa7b6885e6
      https://github.com/ioquake/ioq3/commit/06cc3a4e1bfcb3f2936ef5f4f0fec4aa7b6885e6
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M code/autoupdater/rsa_tools/build-rsa-tools.sh

  Log Message:
  -----------
  build-rsa-tools.sh now works on Linux.


  Commit: c9c5d8710a9981c784d8b7271aca49d0f912c6ea
      https://github.com/ioquake/ioq3/commit/c9c5d8710a9981c784d8b7271aca49d0f912c6ea
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    A code/autoupdater/rsa_tools/.gitignore

  Log Message:
  -----------
  Added .gitignore for rsa_tools directory.


  Commit: a761684a2356ddac693697e758ce3232af69a395
      https://github.com/ioquake/ioq3/commit/a761684a2356ddac693697e758ce3232af69a395
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M Makefile
    M code/autoupdater/rsa_tools/build-rsa-tools.sh

  Log Message:
  -----------
  Windows support for autoupdater manifest signatures.


  Commit: 749e17ab1dd7cc31f4189a8050d24b21e82800b2
      https://github.com/ioquake/ioq3/commit/749e17ab1dd7cc31f4189a8050d24b21e82800b2
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M code/autoupdater/autoupdater.c

  Log Message:
  -----------
  Add a log message if manifest is valid.


  Commit: b771192d52da1aea6987f53ad34b318300c34bec
      https://github.com/ioquake/ioq3/commit/b771192d52da1aea6987f53ad34b318300c34bec
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M code/autoupdater/autoupdater.c

  Log Message:
  -----------
  Use "x86_64" and not "x86-64" like everything else in ioq3.


  Commit: 76e6b3c53442d125e65dee927caec56b272e2ba9
      https://github.com/ioquake/ioq3/commit/76e6b3c53442d125e65dee927caec56b272e2ba9
  Author: Ryan C. Gordon <icculus at icculus.org>
  Date:   2017-06-04 (Sun, 04 Jun 2017)

  Changed paths:
    M Makefile

  Log Message:
  -----------
  Removed unnecessary trailing backslash.


  Commit: fd3b58b967a89dde37495561f722db7b33e45404
      https://github.com/ioquake/ioq3/commit/fd3b58b967a89dde37495561f722db7b33e45404
  Author: Zachary J. Slater <zjs at zacharyjackslater.com>
  Date:   2017-06-10 (Sat, 10 Jun 2017)

  Changed paths:
    M Makefile
    M autoupdater-readme.txt
    M code/autoupdater/autoupdater.c
    A code/autoupdater/rsa_tools/.gitignore
    A code/autoupdater/rsa_tools/build-libtom-unix.sh
    A code/autoupdater/rsa_tools/build-rsa-tools.sh
    A code/autoupdater/rsa_tools/rsa_common.c
    A code/autoupdater/rsa_tools/rsa_common.h
    A code/autoupdater/rsa_tools/rsa_make_keys.c
    A code/autoupdater/rsa_tools/rsa_sign.c
    A code/autoupdater/rsa_tools/rsa_verify.c
    A code/autoupdater/rsa_tools/test-rsa-tools.sh
    R code/autoupdater/sha256.c
    R code/autoupdater/sha256.h

  Log Message:
  -----------
  Merge pull request #293 from rcgordon/autoupdater-rsa-signature


Compare: https://github.com/ioquake/ioq3/compare/e9436abff0fe...fd3b58b967a8


More information about the quake3-commits mailing list