diff options
Diffstat (limited to 'updater')
-rw-r--r-- | updater/authenticode.go | 31 | ||||
-rw-r--r-- | updater/downloader.go | 2 | ||||
-rw-r--r-- | updater/msirunner.go (renamed from updater/msirunner_windows.go) | 0 | ||||
-rw-r--r-- | updater/msirunner_linux.go | 23 | ||||
-rw-r--r-- | updater/updater_test.go | 2 | ||||
-rwxr-xr-x | updater/winhttp/httptest.exe | bin | 3318784 -> 0 bytes |
6 files changed, 33 insertions, 25 deletions
diff --git a/updater/authenticode.go b/updater/authenticode.go new file mode 100644 index 00000000..13ce6917 --- /dev/null +++ b/updater/authenticode.go @@ -0,0 +1,31 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved. + */ + +package updater + +import ( + "unsafe" + + "golang.org/x/sys/windows" +) + +func verifyAuthenticode(path string) bool { + path16, err := windows.UTF16PtrFromString(path) + if err != nil { + return false + } + data := &windows.WinTrustData{ + Size: uint32(unsafe.Sizeof(windows.WinTrustData{})), + UIChoice: windows.WTD_UI_NONE, + RevocationChecks: windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity. + UnionChoice: windows.WTD_CHOICE_FILE, + StateAction: windows.WTD_STATEACTION_VERIFY, + FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{ + Size: uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})), + FilePath: path16, + }), + } + return windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil +} diff --git a/updater/downloader.go b/updater/downloader.go index 98159553..a61acbd4 100644 --- a/updater/downloader.go +++ b/updater/downloader.go @@ -168,7 +168,7 @@ func DownloadVerifyAndExecute(userToken uintptr) (progress chan DownloadProgress } progress <- DownloadProgress{Activity: "Verifying authenticode signature"} - if !version.VerifyAuthenticode(file.ExclusivePath()) { + if !verifyAuthenticode(file.ExclusivePath()) { progress <- DownloadProgress{Error: errors.New("The downloaded update does not have an authentic authenticode signature")} return } diff --git a/updater/msirunner_windows.go b/updater/msirunner.go index d7631706..d7631706 100644 --- a/updater/msirunner_windows.go +++ b/updater/msirunner.go diff --git a/updater/msirunner_linux.go b/updater/msirunner_linux.go deleted file mode 100644 index f6cca441..00000000 --- a/updater/msirunner_linux.go +++ /dev/null @@ -1,23 +0,0 @@ -/* SPDX-License-Identifier: MIT - * - * Copyright (C) 2019-2020 WireGuard LLC. All Rights Reserved. - */ - -package updater - -import ( - "fmt" - "io/ioutil" - "os" - "os/exec" -) - -// This isn't a Linux program, yes, but having the updater package work across platforms is quite helpful for testing. - -func runMsi(msiPath string, userToken uintptr, env []string) error { - return exec.Command("qarma", "--info", "--text", fmt.Sprintf("It seems to be working! Were we on Windows, ā%sā would be executed.", msiPath)).Run() -} - -func msiTempFile() (*os.File, error) { - return ioutil.TempFile(os.TempDir(), "") -} diff --git a/updater/updater_test.go b/updater/updater_test.go index a29d71f6..02e980eb 100644 --- a/updater/updater_test.go +++ b/updater/updater_test.go @@ -20,7 +20,7 @@ func TestUpdate(t *testing.T) { return } t.Log("Found update") - progress := DownloadVerifyAndExecute(0, nil) + progress := DownloadVerifyAndExecute(0) for { dp := <-progress if dp.Error != nil { diff --git a/updater/winhttp/httptest.exe b/updater/winhttp/httptest.exe Binary files differdeleted file mode 100755 index 9f7ecda4..00000000 --- a/updater/winhttp/httptest.exe +++ /dev/null |