-
Notifications
You must be signed in to change notification settings - Fork 14
Signing
What Is SparkleDotNET? | The End User Experience | Using SparkleDotNET | Signing Your Updates | Info.plist Keys | Generating an Appcast | Anonymous User Profiles | Letting Your Users Customise SparkleDotNET | Localizing SparkleDotNET
To use SparkleDotNET, you must sign your updates. This ensures that SparkleDOTNET only installs updates it's sure are from you.
Update signing uses the DSA scheme to sign the SHA-1 hash of your update using your private key — this signature is placed in your appcast. SparkleDotNET then uses your public key, which is distributed with your application, to verify this signature. If the verification fails, the update will not be installed and removed from the user's system.
The SparkleDotNET test application contains tools to create your key pair and then sign your updates with it. To create your public/private key pair, launch the application and click the "Create Public/Private Key Pair..." button.
IMPORTANT: Do NOT lose your public and private keys - back them up to a safe place as soon as you create them. If you lose your private key, you will no longer be able to issue updates for your application even if you create a new private key.
To sign an update, you need your private key and your final update distibutable — the exact bits that will be placed on your web host for your users to download.
Again, you can use the SparkleDotNET test application to sign your update. Launch the application and click the "Sign File..." button, then choose your private key file and your update distributable. The signature will then be placed into the field below the "Sign File..." button, ready to be placed into your appcast.
Note: Public and private keys and signatures are saved as Base64-encoded data. If you create your own tools to create keys and signatures, remember to Base64 encode them!