-
-
Notifications
You must be signed in to change notification settings - Fork 51
Signing & Verifying Patches
As an additional layer of security against man-in-the-middle attacks, you can sign your VersionInfo and/or PatchInfo files. Then, while patching your app, you can verify their signatures to make sure that they are genuine. This will ensure that the hashes and filesizes stored in these files are not tampered with; which, in turn, makes it possible to detect whether or not downloaded patch files are genuine.
Signing & verifying your patches is optional but is highly recommended.
To use the built-in functions to sign/verify your patches, you must first generate an RSA key pair. Then, you can sign & verify your patches with these keys:
It is also possible to write your own functions to sign/encrypt and verify/decrypt your patches instead of using the built-in functions.
SimplePatchTool doesn't need to know how you sign or encrypt these files, so feel free to use any code/application for this job. You just have to let SimplePatchTool know how to verify/decrypt your patches, which can be achieved via the UseVersionInfoVerifier and/or UsePatchInfoVerifier functions of SimplePatchTool.