GPG Keychain Access uses plain HTTP to fetch updates
Reported by abhr | April 9th, 2011 @ 03:58 AM | in 1.2 (closed)
Hi guys,
it seems like Sparkle is not configured to fetch updates via HTTPS.
Since you seem to already be using AWS, may I suggest implementing
S3 for updates directly and not cloudfront? It will prevent from
the update being hijacked.
Cheers!
Comments and changes to this ticket
-
Alex (via GPGTools) April 9th, 2011 @ 01:00 PM
- State changed from “new” to “hold”
- Assigned user set to “Mento”
Imho it's unnecessary to fetch and publish updates via HTTPS since they are digitally signed. If someone hijacks the update process GPG Keychain Access will refuse installing it.
-
Mento April 9th, 2011 @ 01:38 PM
- State changed from “hold” to “invalid”
As Alex has stated: It is not necessary.
-
steve July 25th, 2013 @ 09:08 PM
- Tag cleared.
- Importance changed from “High” to “Low”
-
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
abhr
steve