Replies: 8 comments 6 replies
-
Valid concerns, and definitely areas that need to be developed. I have put together a crude diagram that lays out the different pieces of jDeploy. I'll refer to it throughout this post. The diagram shows three actors: jDeploy, the App developer, and the app User. However there are two others to consider that aren't included in the diagram: The JVM distribution provider (Azul right now, but could be expanded to others later), and "the network". I'll start with three core actions that the end user performs, and discuss who she has to trust for each of them.
So, with the current configuration, the circle of trust includes:
Reducing the size of the circle of trustThe best case scenario for the circle of trust is for the user to trust only one party: The App Developer. This is achieved using conventional distribution (e.g. jpackage) by including the entire app inside a single bundle, which is signed by the app developer's private key. Mac will enforce this trust by refusing the run the app if the bundle has been tampered with. This would require giving up most of the benefits of jDeploy, so I'll discuss a range of strategies that can reduce the size of the circle of trust, but can still retain the benefits of jDeploy. The two main "features" that I want to preserve are:
These goals run counter to the goals of security, but I think there is a happy medium. Removing npm and jdeploy from the circle of trustThe easiest members to expel from the circle of trust are npm and jDeploy. There are a few ways to accomplish this: Strategy 1: Self Hosting:
Under this scenario, the circle of trust becomes: The network, the JVM provider, and the App developer. Strategy 2: CodesigningWe could develop a codesign strategy similar to Apple's codesign, and have the launcher verify signatures of all bundles that it downloads against signatures that the App developer verifies. The app developer could sign the installer bundle, and all npm bundles with their private key, and publish a public key that users could use to verify that the installer, and app, and app bundles are signed. This could be baked into the App launcher itself, to verify all updates against the app developer's public key. These changes would still allow us to use npm and jdeploy.com for the download page because the software could be verified by signature. I.e. we reduce the circle of trust to: The app developer and the JVM provider To remove the JVM provider from the circle of trust, we would need to either bundle the JVM in the installer, or pin the app to a particular JVM bundle. Both of these are undesirable because it either increases bundle size, or decreases our flexibility for choosing a compatible JVM at runtime. Strategy 3: a la cartePerhaps a mix of these strategies to achieve a sweet spot. |
Beta Was this translation helpful? Give feedback.
-
What means do you have to ensure a valid identity of the software developer? |
Beta Was this translation helpful? Give feedback.
-
Currently, none. I think the best solution would be to have the software developer publish their public key, or share their public key with their users, and then the user could verify the identity that way. I can imagine other strategies, but what mechanism would you suggest? |
Beta Was this translation helpful? Give feedback.
-
I don't know but being able to trust the given identity of the developer is a crucial part of the trust in the overall process. I have to assume that if the developer can stay completely anonymous he can commit any crime he wants and none of the other technical means could prevent that. But maybe we could hear some more voices on this issue. |
Beta Was this translation helpful? Give feedback.
-
What is your normal strategy for ensuring developer identity for software that you run? The same could probably be employed with jDeploy. Personally, I'm usually satisfied that if I download a file from the dev's website or other "trusted" source, like their Twitter feed, facebook, github, etc.., that it is from the developer. In reality, I know that this isn't bullet-proof, as it is possible that I accidentally went to a phishing site, or that there was a MITM attack and i'm not getting what I think I'm getting. This is why some guys post a hash to compare against the file - but then how do I know that the hash I got from their website wasn't also hit by MITM.... and on... The only "sure way" if the stakes are high, would be to get the public key before hand in person, and use it to validate signatures on every bundle that is downloaded over the network. But I've never done that. I've generally don't compare the hashes when they are available either. Maybe I should. |
Beta Was this translation helpful? Give feedback.
-
I have opened an RFE in the issue tracker that describes a way forward for addressing these security concerns. |
Beta Was this translation helpful? Give feedback.
-
The next release of jDeploy installer will display the following prompt when the user presses "Install". By default the "verified website" will just be the project page on https://www.npmjs.org/package/YOURPACKAGENAME If you place a hash into your actual homepage, then it will display your homepage instead. jdeploy publish will generate the following hashes on each deploy:
If the installer finds any of these hashes on your app's homepage, then it will display that home page as the "verified" homepage. The idea is to prevent a bad actor from publishing a malware app and claiming that they are someone else. Users will at least have the opportunity to inspect the website of the developer before proceeding with the installation to make sure it is legit. This is the first of a progression of new security features I will be implementing. |
Beta Was this translation helpful? Give feedback.
-
Just some info on the verification aspect of GitHub accounts. There actually is a possibility for more verification than just creating an account. GitHub domain verification |
Beta Was this translation helpful? Give feedback.
-
jDeploy is an interesting concept, but I am a bit concerned about the security aspects. Things like code signing and notarization give you at least some basic security and also give you the possibility to trace the origin of a software. jDeploy seems to bypass this completely as far as I understand the concept.
Beta Was this translation helpful? Give feedback.
All reactions