I'd like to incorporate security features in my standalone XULRunner app. Specifically, I'd like to use security certificates to validate the app executable as downloaded by a user. From what I've seen, its called code signing. But I'm very green in this area. Any pointers on how to proceed? Thanks in advance.
The certificate functionality built into XULRunner isn't meant to validate signatures of Windows executables - you would need to use Windows functions for that (e.g. via js-ctypes). Not going to be simple however, here you can see how that check works in C++ code.
However, if you are merely downloading an update to your application then maybe using an HTTPS connection would be sufficient - the origin of the executable is verified then (won't help you if that server is hacked however).
Related
I'm using Qt Installer Framework to install my Linux app in several OS like Redhat/Centos and Ubuntu. It works nice but for compliance reasons I have to add a step where the user is mandated to enter a key that will be stored with the application binaries. This encrypted text key will unlock features in the given application.
I'm not looking for a hacker-proof solution, just something that I can legally claim the user had to do in order to install the binaries. This is to protect us in court, so the client does not claim they just downloaded the software from the internet and run. We have to say that the only way they were using the application is by either tampering with the installer, copying from another client (which is illegal) or actually agreeing with the EULA conditions.
The way that currently is, the binaries are stored with vanilla compression (7zip) in the web server (I only allow online installer) and anyone can download and unpack the 7zip container thus creating a legal breach.
There's an option in the package to display a License Agreement prior to installing the binaries. It is mandatory to accept the term before you can proceed.
Wouldn't that be enough for your use-case ?
You can have a look at the official Qt IFW Documentation to have a look at the "Licenses" xml element or directly into the translation example.
Regards
I am a full-stack developer but since I installed my new antivirus program
(malwarebytes) I receive always the following nodification (see image below).
I work a lot with node.js (REACT, REACT-Native) therefore I am unsure if that is a virus.
I guess it is.
They provide a JS function convince Windows Defender
not to report back on files.
There are a lot of questions on this topic, but they don't seem to distinguish between executables for desktop or server-side apps. I suppose my first question would be: what's the difference? For example, Zeit/pkg says they are a "node.js binary compiler", whereas nwjs (formerly node-webkit) says they are a "an app runtime based on Chromium and node.js".
I tried zeit/pkg and it works great, but have read that there can be performance issues unless it's configured properly. I wanted to make sure I was choosing the right tool and came across nwjs. It seems to do a lot of the same stuff pkg does, but has a larger following, as well as more docs and a robust api. Can I use nwjs as a server-side executable (i.e. not using the desktop feature) the same way I would use pkg?
This answer states that nwjs "is an option, but it really isn't set-up to do a server - client type relationship", but then a comment says "you can launch a server from node-webkit just in the way you launch it in Node.js. It's just that node-webkit provide another way beyond B/S architecture".
So, is nwjs effectively the same as pkg, or fundamentally different?
I realize that there's also Electron, which states "build cross platform desktop apps" and appears similar to nwjs. I'm not trying to get into a Electron vs nwjs debate, but rather desktop vs. server, if there's a difference.
you got most things already, only few clarifications are needed. Reason nw.js / Electron declares itself as for desktop application is, it's core architectural design is intended to integrate node.js with chromium to have UI enables create application does have UI. You can still use part of those framework (node.js side) without initiating visible ui, in that case behaviorwise it'll be similar to plain node.js does. Still there is caveat, like as it tightly integrated with chromium in core already for some cases you should have screen to chromium correctly initiates (or creating virtual buffer as lot of CI does, or etcs).
Also, when your concern is performance, I'd doubt using UI framework for server side work achieves what you desire - while there won't be huge, integration between node to chromium have overhead compare to bare node.js obvioulsy.
Getting back to original question, I feel question itself is somewhat vague. If the intention is truly server side application probably you won't need to package it but correctly deploy node and its dependency modules or packaging it sort of installable manner instead of creating single binary as pkg does.
I'm a complete Node noob, so I apologize if this question has an obvious answer.
I'm looking to create a web app that will run plugins from untrusted sources (i.e. community submissions). So I need to lock down those plugins into a sandbox where only certain access is allowed (can't write to disk, etc.). Ideally, the plugin would only be able to use certain approved node packages and APIs.
Is this possible in Node? If so, can you point me toward a package or documentation that will get me started?
Here is a small list of projects that can help you:
https://github.com/gf3/sandbox
https://github.com/hflw/node-sandbox
https://github.com/bcoe/sandcastle
https://github.com/wearefractal/boxy
I suggest the first one (sandbox) since it's more mature.
I would also contribute to the list with my library: https://github.com/asvd/jailed. In addition to the sandboxing of the untrusted code (in a restricted subprocess), it gives an opportunity to export any set of functions inside the sandbox thus defining a custom API for the sandboxed code.
After a lot of searching I have yet to find a way to sign a BlackBerry application on a Linux distribution with no GUI.
As of right now I'm getting the error "Unable to request signatures until this application has completed the initial key generation.". The problem is I'm not able to register the CSI files it seems via CLI. Has anyone accomplished this without setting up X11?
Yes, its definitely possible to do this on a headless Linux box. Heck, I do it on a headless Solaris/UltraSPARC server :-)
For actually running the tool, I like http://bb-ant-tools.sf.net/ . If you are using an older version of the signature tool, you may need to make some modifications as described on http://slashdev.ca/ .
While the tool is fully controllable from command-line parameters, it does unfortunately still require access to a running X server to function. The workaround for this is to install "Xvfb" (a fake X server for purposes like this), launch it in the background on your system, then set the DISPLAY variable so the signature tool will use it for its non-interactive GUI.
Blackberry sigtool may not be supported in Linux and it may be only partially working. BB dev tools are still Windows-centric.