This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
idan37s
Level 3
‎May 19, 2019 04:04 AM

FlexNet Connect verification of downloadable exe file Checksum or Digital Signature doesn't work

Hi,

I'm using FlexNet Connect (https://publisher.flexnetoperations.com/) and defined a Product Update which is an executable file for windows platform.

I tried using the feature "Validate digital signature" but it doesn't seem to work for me.

I have tried both available options "Signed Executable" and "SHA-1 Hash (Hex)", but no matter what value I enter in the "Security signature" textbox, it doesn't validate the actual file when the client\agent is downloading\running it.

A few notes:

- Our executable setup update file is digitally signed with a valid certificate,
I tried putting the public key and the signer name in the "Security signature" textbox.

- I also tried generating a CRC hash based on SHA-1 and putting it in "Security signature" textbox.

None of the above worked.

 

Do I need to do something else in order for this feature to work (may be activate a flag in the client side or call a specific function, etc.)?

 

Thanks, Idan.

 

0 Kudos
(3) Replies
gschmitt
Level 2
‎May 24, 2019 03:45 PM

We are using sha1 signatures since years. It works, that means:
when I corrupt a file on the server and download it, FNC-SDK detects that the SHA1 does not match and signals an exception.
When I download the uncorrupted file it works in 99.9%

But we see some
FlxDotNetClient.InvalidSignatureException, message=A service system error was encountered: Signature didn't pass validation. [1,7E0,8,1[7000001E,0,20050307]]
where we do not know where they are coming from. We use https  for download, so there should not be a "man-in-the-middle" attack.
I personally never had that issue, but some of our customers have, we see that in anonymous error logs that are uploaded.

0 Kudos
idan37s
Level 3
In response to gschmitt
‎May 26, 2019 08:54 AM

Hi, Do you know which function is throwing the exception? I entered a wrong hash and haven't got any indication of the invalid signature.
0 Kudos
gschmitt
Level 2
In response to idan37s
‎May 27, 2019 02:05 AM

We have a Unit Test for that (we have developed our own FNC client using API of FNC 2017 R3).
It downloads a file and in the definition of a MultiPlatform Update used for this test we have set SHA1 to a wrong value.

During the Unit Test we first check for Updates of the corresponding product and then download this test Update using FNC method INotificationUpdate:DownloadAndExecute, for which we have defined a callback like

private NotificationUpdateStatus DownloadDelegate(NotificationUpdateStage stage, long currentSize, long totalSize, INotificationUpdate update, Exception exc)

which is given to DownloadAndExecute as 3rd parameter.

At the end of the download of the file with the wrong SHA1 this DownloadDelegate gets called by the FNC API with

stage = DownloadFail
exc.Message = "A service system error was encountered: Signature didn't pass validation. [1,7E1,B,0[7000001E,0,200502F7]]"

That's how we detect downloads with wrong signatures in our FNC client.

As I said in my first reply: we wonder that our client really sometimes reports such invalid signatures, although we use https for download. I thought that https is safe and reliable, but it seems not in all cases.

0 Kudos