Enhancement request: integrity checks on new version info

[fritzophrenic]

Please provide a signed version file as per the recent KeePass discussion: https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/

[Uranium235]

As of now it is only possible to provide KeePass with an HTTPS URL for version checking. But the redirect to http://keepass.info/plugins.html is not secured thus making the use of https for the version check kind of useless (at the very least when there is an official update available).

The KeePass Plugin System as of v2.34 does not provide any means to implement signature checks for plugins (yet). Neither for the version information file nor the binaries / source code. And for various technical reasons I suspect that is not going to change anytime soon.

Simply digitally signing the binaries is also not possible as the plugin is distributed in the .plgx format in source code which is compiled at runtime and on top of that makes use of unsigned Google API dlls.

The Plugin has to be updated manually by replacing the .plgx file. So even trying to implement our own signature checking is also useless.

For now you just have to be sure you only download from sourceforge.net via https.

[Uranium235]

I have to revise my statement concernig signature checks for the version information file. KeePass 2.34 does seem to provide a method to provide KeePass with a Public RSA Key (UpdateCheckEx.SetFileSigKey).

Not sure if that would break backwards compatibility with KeePass versions >= 2.18 and < 2.34 though. I will see what I can find out...

Anyway, it would still not solve the issue that there is no SSL for the KeePass Plugins website. And since the whole issue of signing is to mitigate MITM attacks, not having the URL secured where the update screen redirects you to, an attacker can still tamper with the "update process". It only really makes sense when the whole chain is secured.

You know what they say: a chain in only as strong as its weakest link.

[Danyal]

There is SHA checksum for the zip file at https://sourceforge.net/p/kp-googlesync/support/GoogleSyncPlugin-2.1.2/

There is a direct link to the above page in Support Section > Getting Started
New release available
Changes made in this release: [GoogleSyncPlugin-2.1.2].

Please let me know if there is a better place on the plugin's source force page if it was too hidden or hard to find and I can move it there.

Assuming my site is hacked with wrong version info, user would still get redirected to keepass plugins page when they double click on the plugin from "check for updates" popup.

Dominik does not host this plugin on his website, it just links to this sourceforge page. So a hacker manages to hack both keepass website and my website at the same time or somehow manages to redirect all user's traffic to his/her page with an infected file to download.

If users always download from Sourceforge, it would be the safest option.
If users download an infected plugin file, the hash of the original zip file I provided wouldn't match with the infected file.

Does this resolve the issues? So once the file is downloaded on the computer, please check the hashsum value (Google search can return lots of online websites that validate a file against a hash)

I will try to read up on new function provided in Keepass ... UpdateCheckEx.SetFileSigKey, and see if it can be implemented in our plugin.

I currenly don't have the means to provide an ssl website for version checks, which is why I don't host the plugin file anywhere else except on sourceforge.

Hmm, I wonder if I can host the version check file from sourceforge too.