Open aschoelzhorn opened 7 years ago
@aschoelzhorn Don't you think it will be an overkill? Every time we change it we need to sign it again.
I don't think this is an overkill, but necessary for Issue #21 . The MD5 hash is almost useless, as long as you can not be sure the xml file hasn't been compromised.
@aschoelzhorn You are right. But I don't think many ppl will sign their XML files. If this issue gets more votes I will consider adding it.
@aschoelzhorn you can use https, or maybe ftps to get the xml, or change to check in a webservice and authenticate the user, if you are paranoid, you need to check your current local app for changes (altered files), and check the files sync with a server, like videogames..., ex. at updater start, check local files vs server files, the client never know the name of the xml in server, get an ID from server that is diferent in all clients... or maybe check that: https://github.com/ProgTrade/nUpdate/wiki/Creating-a-project-in-nUpdate-Administration
Ensure the integrity of the xml file by signing the xml