Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: verify LiteralPath of update file during windows signature verification #8295

Merged
merged 7 commits into from
Jul 5, 2024
Merged

fix: verify LiteralPath of update file during windows signature verification #8295

merged 7 commits into from
Jul 5, 2024

Conversation

mmaietta
Copy link
Collaborator

@mmaietta mmaietta commented Jul 4, 2024

To prevent env var expansion during the signature verification step when executed via cmd.exe -> powershell, we need to verify the LiteralPath of the scanned asset and compare the string against the original intended update filename

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 4, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 106f800

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
electron-updater Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@netlify Netlify
Copy link

netlify bot commented Jul 4, 2024
edited
Loading

Deploy Preview for car-park-attendant-cleat-11576 ready!

Name Link
🔨 Latest commit 106f800
🔍 Latest deploy log https://app.netlify.com/sites/car-park-attendant-cleat-11576/deploys/66871b6ee11c9d00088654e9
😎 Deploy Preview https://deploy-preview-8295--car-park-attendant-cleat-11576.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@mmaietta mmaietta merged commit ac2e6a2 into master Jul 5, 2024
15 checks passed
@mmaietta mmaietta deleted the fix-win-verify-path branch July 5, 2024 16:06
@github-actions github-actions bot mentioned this pull request Jul 5, 2024
Merged
@basil
Copy link

basil commented Jul 11, 2024

Are there any plans for a non-alpha release or backport? This is now showing up as https://nvd.nist.gov/vuln/detail/CVE-2024-39698

@mmaietta
Copy link
Collaborator Author

Yep, I'll be converting to non-alpha release when I return from vacation on Monday. Unfortunately, I cannot backport with the current CI/CD setup using changeset package.

@defunctzombie
Copy link

I see that 6.3.1 is on npm but under the next tag rather than latest. Is it held back for more testing? When updating to 6.3.1 to resolve this security notice do we also need to update to a specific version of electron or electron builder?

@mmaietta
Copy link
Collaborator Author

It needs broader adoption before I can post to latest. For instance, electron-builder v25 has a blocking issue with AppImages that I'm currently working on resolving.

To leverage the fix in electron-updater 6.3.1, it does not require a specific version of electron or electron-builder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
electron-updater windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mmaietta @basil @defunctzombie