Re: Verifying Signed Files Downloaded via HTTP

From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 06/28/05 

Date: Tue, 28 Jun 2005 00:09:59 -0400

Well a simple way is to include a SHA1 (or other) hash of the new assem in
one of your xml elements for the file(s). Then just download them and
verify the new hash run over the file bits match the hash from the server.
IIRC, many have done this kind of thing with md5 for years. 

-- 
William Stacey [MVP]
"DaveW" <david_wender@yahoo.com> wrote in message 
news:1119638456.924177.55680@g47g2000cwa.googlegroups.com...
>I have created a Launcher Application to automatically update files for
> my main application before the main application starts. The launcher
> checks a XML file on a server to see a list of files/versions that are
> associated with the main application and will automatically download
> new versions.
> All DLLs and EXEs are strong named and signed with a Authenticode Code
> signing certificate.
> It seems that some clients are now encountering Strong Name exceptions
> after downloading new versions.
>
> I am trying to figure out whether they are getting these exceptions
> because the downloaded file was somehow corrupted during the file
> transfer. If so, is there any way to verify that a file has a valid
> signature after it is downloaded so that I can attempt to re-download
> if there are problems?
>
> Another thing to note is that I renewed my Digital Certificate on
> 6/6/05 but I have not rebuilt the SNK with new new certificate. I don't
> know much about how these certificates work, but I'm wondering if there
> is some sort of random verification going on that is failing because
> the old certificate may be expired.
>
> Any help would be greatly appreciated.
>
> Thanks.
>

Relevant Pages

  • Re: [Full-disclosure] FIREFOX 2.0.0.5 new vulnerability
    ... way I don't have to download the updates again if someday I decide to ... I believe if it is digitally signed you could check that signature after you ... Is very common to see downloads with a hash but then the page ... Give me the signature (you already have the public key from the ...
    (Full-Disclosure)
  • Re: ?Expired Security Certif for MS Update
    ... Steven, I couldn't get the MBSA to run -- it seemed to download okay, but it ... faith in the downloads I have, that used the expired certificate to get the ... At the risk of sounding like an alien abductee, this security invasion ... Microsoft and signed by a CA that your computer trusts I would not worry ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [Full-disclosure] FIREFOX 2.0.0.5 new vulnerability
    ... way I don't have to download the updates again if someday I decide to ... I believe if it is digitally signed you could check that signature after ... Is very common to see downloads with a hash but then the ... Give me the signature (you already have the public key from the ...
    (Full-Disclosure)
  • Re: I note that no one is mentioning Jim Bates this morning!
    ... accepted as conclusive proof in court (although they could certainly ... So kp could clearly have ended up on the machine - never mind about hash codes of known kp files. ... have arisen from download corruption of other files are pointless - there is a perfectly valid explanation that he could have accidently downloaded anything in his search for warez and legal porn. ... KP file and placed it onto the P2P network. ...
    (uk.legal)
  • Re: Letter of claim - p2p
    ... and assuming you can find another file on the same or other p2p network ... find a file with that hash value shared from your IP but also that the ... purported to be either ceased the download or erased the program. ... it means that any attempt to view the "video" you thought ...
    (uk.legal)