This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Please post checksum for downloads

binaryeric
binaryeric Senior Member
Since 1P is a security application and contains such a great deal of private information, it would be good if Agile could post a checksum (SHA1 for example) of the download file so that users that are downloading the file in an unfriendly location could verify that the application archive had not been modified.



Thanks

Comments

  • binaryeric
    binaryeric Senior Member
    [url="http://news.ycombinator.com/item?id=1999519"]For example....[/url]
  • khad
    khad Social Choreographer
    edited February 2011
    Hi Eric,



    Thanks for bringing this up. We've actually been planning a blog post to discuss this issue.



    We have MD5 sums for all of our downloads stored on a separate server.



    For example the one for our latest BETA is:



    http://cdn.agile.ws/aws/dmg/1PW3/English/1Password-3.5.5.BETA-3.zip.md5



    and for our latest full release is



    http://cdn.agile.ws/aws/dmg/1PW3/English/1Password-3.5.4.zip.md5



    The 1Password Updater does verify what it downloads against these.



    We certainly plan to have these on SSL (there is no need to have the entire download go through SSL when we can just do that for the signature), but we aren't quite there yet.



    In addition to verifying the download against the MD5 sums, we also take advantage of Apple's codesigning mechanism. You can verify your installation of 1Password with



    [code]codesign -v -R="identifier ws.agile and anchor trusted" /Applications/1Password.app[/code]

    in a Terminal window. This will verify that your copy of 1Password is indeed signed by us.



    Once we have our updater fetching the signatures from an SSL server we will post about this issue.



    So although we haven't completed every step in the process of protecting against malicious downloads, we are in the process of doing so, and some measures are already in place.



    Again, thanks for raising this topic.



    Cheers,
  • binaryeric
    binaryeric Senior Member
    This was all extremely helpful information. Thanks so much! It's great to know that issues like these are on your radar and they are in progress.



    Thanks,

    Eric
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Thank you, Eric.

    [quote name='binaryeric' timestamp='1296820600' post='20047']

    This was all extremely helpful information. Thanks so much! It's great to know that issues like these are on your radar and they are in progress.[/quote]

    Absolutely. We have been hardening our download verification process. Once all of the pieces are in place, we will discuss it more.



    Cheers,



    -j
  • binaryeric
    binaryeric Senior Member
    edited March 2011
    [quote name='khad' timestamp='1296798650' post='20034']



    In addition to verifying the download against the MD5 sums, we also take advantage of Apple's codesigning mechanism. You can verify your installation of 1Password with



    [code]codesign -v -R="identifier ws.agile and anchor trusted" /Applications/1Password.app[/code]

    in a Terminal window. This will verify that your copy of 1Password is indeed signed by us.



    [/quote]



    I just attempted this on the version I currently had downloaded ( 3.5.8 ) and it failed with the following error message:



    "test-requirement: failed to satisfy code requirement(s)"



    This has me very concerned. I am also unable to use the "update" function within 1Password to download updates. After each download completes, it fails with an error (I am assuming during the checking process). I have been downloading the files manually and verifying the MD5 checksum.



    I would greatly appreciate any information you can provide to help me to know if my 1Password app or the data has been compromised.



    Thanks
  • jpgoldberg
    jpgoldberg Agile Customer Care
    [quote name='binaryeric' timestamp='1301193336' post='23335']

    I just attempted this on the version I currently had downloaded ( 3.5.8 ) and it failed with the following error message:



    "test-requirement: failed to satisfy code requirement(s)"



    This has me very concerned.[/quote]



    Can you try that command again with a few more "v"s? so that it is



    [code]codesign -vvv -R="identifier ws.agile and anchor trusted" /Applications/1Password.app[/code]



    This will give more verbose output.



    [quote]

    I am also unable to use the "update" function within 1Password to download updates. After each download completes, it fails with an error (I am assuming during the checking process). I have been downloading the files manually and verifying the MD5 checksum.[/quote]



    Can you post the actual error message you see? I might also ask you to dig into your 1Password.log and 1PasswordAgent.log which should contain more detailed messages about why an update may have failed.



    You can find those logs by using Console.app. Console.app lives in the Utilities folder under Applications. Once you've opened Console, you should navigate to ~/Library/Logs > 1Password > 1Password.log as shown in the attached image. You should be able to scroll back in that to see last update attempt. (A successful one is shown in the attached image).



    In all likelihood this is going to be an innocuous error, but I fully understand why we need to check this out.



    Please let us know if you need more help with any of these instructions.



    Thanks!



    -j
  • binaryeric
    binaryeric Senior Member
    edited March 2011
    [quote name='jpgoldberg' timestamp='1301209183' post='23340']

    Can you try that command again with a few more "v"s? so that it is



    [code]codesign -vvv -R="identifier ws.agile and anchor trusted" /Applications/1Password.app[/code]



    This will give more verbose output.



    [code]

    /Applications/1Password.app: valid on disk

    /Applications/1Password.app: satisfies its Designated Requirement

    test-requirement: failed to satisfy code requirement(s)[/code]



    Can you post the actual error message you see? I might also ask you to dig into your 1Password.log and 1PasswordAgent.log which should contain more detailed messages about why an update may have failed.[/quote]



    [code][30881] Sun Mar 27 21:09:52 2011| == Opening log session ==

    [30881] Sun Mar 27 21:09:52 2011| Initializing new AGHtmlDatabase with path '/Users/xxx/Library/Application Support/1Password/Keychain/1Password.agilekeychain'.

    [30881] Sun Mar 27 21:09:52 2011| Dropbox folder: /Users/xxx/Dropbox

    [30881] Sun Mar 27 21:09:52 2011| Dropbox folder: /Users/xxx/Dropbox

    [30881] Sun Mar 27 21:09:52 2011| Versioned copy of extensions already exists at /Users/xxx/Library/Application Support/1Password/Extensions/30881

    [30881] Sun Mar 27 21:09:55 2011| Dropbox folder: /Users/xxx/Dropbox

    [30881] Sun Mar 27 21:09:56 2011| 1Password update available: {

    description = "1Password 3 for Mac 3.5.9 is now available. Would you like to download and install this new version now?";

    "download_urls" = (

    {

    name = Primary;

    url = "http://aws.cachefly.net/aws/dmg/1PW3/English/1Password-3.5.9.zip";

    },

    {

    name = "Backup (Agile Site)";

    url = "http://cdn.agile.ws/aws/dmg/1PW3/English/1Password-3.5.9.zip";

    }

    );

    header = "A new version of 1Password 3 for Mac is available!";

    "is_beta" = false;

    "release_notes_url" = "http://agilewebsolutions.com/autoupdate/relnotes?product=1PW3&from=30881&locale=English";

    "up_to_date" = false;

    "upgrade_to_buildnum" = 30884;

    "upgrade_to_name" = "3.5.9";

    }

    [30881] Sun Mar 27 21:09:56 2011| Resource '/Users/xxx/Library/Application Support/1Password/Extensions/30881/Resources/Update.nib' not found, falling back to main bundle.

    [30881] Sun Mar 27 21:12:58 2011| Codesign w/ params ((

    "-v",

    "-R=identifier ws.agile and anchor trusted",

    "/var/folders/P-/P-WU-z2gGWqUB3wmLRA3nE+++TI/-Tmp-/FD3FF47B-0D20-4369-A9CD-DCA841066085-504-00000A6024E0E4E4/1Password.app"

    )) failed with status (3): test-requirement: failed to satisfy code requirement(s)[/code]
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Thanks for posting all of that. Your system certainly is behaving exactly as if the version of 1Password you are downloading is damaged. What we need to do is figure out why.



    So there are a couple of things I would like to you to.



    In a Terminal window can you tell us what



    [code]dig aws.cachefly.net[/code]



    reports?



    Also I would like you to download http://aws.cachefly.net/aws/dmg/1PW3/English/1Password-3.5.9.zip without unzipping it. To make things in the Terminal simpler, please move the 1Password-3.5.9.zip file to your HOME folder.



    Then in the Terminal run



    [code]md5 ~/1Password-3.5.9.zip[/code]



    The result should look like:

    [quote]MD5 (/Users/jeffrey/1Password-3.5.9.zip) = 78c7d48432464d1f6101c218482f0a9c[/quote]

    Except that the "jeffrey" part will be your username.



    Finally, unzip that zip file, which will create a copy of 1Password.app in your home folder and once again we will check it with the codesign command



    [code]codesign -vvv -R="identifier ws.agile and anchor trusted" ~/1Password.app[/code]



    If the MD5 check is correct, but the codesign check fails, then we know that the download is correct, but that there is something wrong with codesign verification on your system. One possible test of this is to check



    [code]codesign -vvv -R="anchor apple" /Applications/Safari.app[/code]



    to see if codesign correctly verifies Safari.



    If both codesign and md5 report mismatches, we need to find out why you aren't getting a proper download.



    Thanks. Again, my inclination is that this is due to some sort of network or system configuration problem and not due to malice. On the other hand, we put in all of these checks on downloads exactly to prevent malicious downloads.



    Cheers,



    -j
  • [quote name='jpgoldberg' timestamp='1301256298' post='23367']

    [code]codesign -vvv -R="identifier ws.agile and anchor trusted" ~/1Password.app[/code][/quote]

    Not sure it'll be helpful but adding the "-d" option produces more output:



    [code]% codesign -dvvv -R="identifier ws.agile and anchor trusted" /Applications/1Password.app

    Executable=/Applications/1Password.app/Contents/MacOS/1Password

    Identifier=ws.agile

    Format=bundle with Mach-O universal (i386 ppc7400 x86_64)

    CodeDirectory v=20100 size=10437 flags=0x0(none) hashes=516+3 location=embedded

    CDHash=436fb70788569535dd97a62fd8a6e19f9c277366

    Signature size=3192

    Authority=Agile Web Solutions

    Authority=Thawte Code Signing CA

    Authority=Thawte Premium Server CA

    Signed Time=Mar 11, 2011 08:34:36

    Info.plist entries=23

    Sealed Resources rules=4 files=1181

    Internal requirements count=1 size=264

    [/code]
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi sjk!



    [quote name='sjk' timestamp='1301258221' post='23370']

    Not sure it'll be helpful but adding the "-d" option produces more output[/quote]

    That is helpful. Yes, let's go with three "v"s and one "d".



    [code]codesign -dvvv -R="identifier ws.agile and anchor trusted" /Applications/1Password.app[/code]



    Thanks!



    -j
  • binaryeric
    binaryeric Senior Member
    [quote name='jpgoldberg' timestamp='1301256298' post='23367']



    [code]dig aws.cachefly.net[/code][/quote]



    [code];; ANSWER SECTION:

    aws.cachefly.net. 120 IN A 205.234.175.175[/code]



    [quote name='jpgoldberg' timestamp='1301256298' post='23367']Also I would like you to download http://aws.cachefly.net/aws/dmg/1PW3/English/1Password-3.5.9.zip without unzipping it. Then in the Terminal run



    [code]md5 ~/1Password-3.5.9.zip[/code][/quote]



    [code]78c7d48432464d1f6101c218482f0a9c[/code]



    [quote name='jpgoldberg' timestamp='1301256298' post='23367']Finally, unzip that zip file, which will create a copy of 1Password.app in your home folder and once again we will check it with the codesign command[/quote]



    [code][codecodesign -vvv -R="identifier ws.agile and anchor trusted" 1Password.app

    1Password.app: host has no guest with the requested attributes[/code]



    [quote name='jpgoldberg' timestamp='1301256298' post='23367']If the MD5 check is correct, but the codesign check fails, then we know that the download is correct, but that there is something wrong with codesign verification on your system. One possible test of this is to check to see if codesign correctly verifies Safari.[/quote]



    [code]codesign -vvv -R="anchor apple" /Applications/Safari.app

    /Applications/Safari.app: valid on disk

    /Applications/Safari.app: satisfies its Designated Requirement

    /Applications/Safari.app: explicit requirement satisfied[/code]



    [code]

    codesign -dvvv -R="identifier ws.agile and anchor trusted" /Applications/1Password.app

    Executable=/Applications/1Password.app/Contents/MacOS/1Password

    Identifier=ws.agile

    Format=bundle with Mach-O universal (i386 ppc7400 x86_64)

    CodeDirectory v=20100 size=10437 flags=0x0(none) hashes=516+3 location=embedded

    CDHash=c79babaa6cb61d223eee44ed8a9e96d4bfc2b267

    Signature size=3192

    Authority=Agile Web Solutions

    Authority=Thawte Code Signing CA

    Authority=Thawte Premium Server CA

    Signed Time=Mar 5, 2011 2:49:44 AM

    Info.plist entries=23

    Sealed Resources rules=4 files=1180

    Internal requirements count=1 size=264

    [/code]



    It looks like the CDHash doesn't match what was posted. Is that relevant?



    Thanks,

    Eric
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Thanks for all of this Eric.





    [quote name='binaryeric' timestamp='1301755511' post='23779']

    ;; ANSWER SECTION:

    aws.cachefly.net. 120 IN A 205.234.175.175



    78c7d48432464d1f6101c218482f0a9c

    [/quote]



    Those are good responses from dig and md5. So it does look like there is no problem with the download. So the very good news is that there isn't anything malicious going on. The bad news is that we still don't know why the code signing verification has failed.



    [quote]

    codecodesign -vvv -R="identifier ws.agile and anchor trusted" 1Password.app

    1Password.app: host has no guest with the requested attributes

    [/quote]



    Oops. It looks like I gave you a slightly incorrect command to try.





    [quote]

    CDHash=c79babaa6cb61d223eee44ed8a9e96d4bfc2b267

    Signature size=3192

    Authority=Agile Web Solutions

    Authority=Thawte Code Signing CA

    Authority=Thawte Premium Server CA

    Signed Time=Mar 5, 2011 2:49:44 AM

    Info.plist entries=23

    Sealed Resources rules=4 files=1180

    Internal requirements count=1 size=264



    It looks like the CDHash doesn't match what was posted. Is that relevant?[/quote]



    That and also notice the signing time are different from what I had (and a few other differences) OK, I am now going to ask the developers whether they botched a signature and re-signed this between March 5 and March 11. It looks like we may have pushed two instances of 3.5.9. Though if that were the case, we should have had far more reports about the updated complaining. Maybe there was just a very small window during which there was a problem.



    If you are still having trouble updating, can you switch to fetching beta versions for a little bit? You can do this by going to the 1Password > Preferences window, selecting the Update panel, enable the "Include Beta versions" checkbox, and then click Check Now. Once the update is installed, try again the update and see if that helps.



    After that, you can return to those preferences to uncheck the box by the Beta versions.



    Thanks!



    -j