ozzi- / php-app-updater Goto Github PK

Hello @ozzi- from a fellow CH living abroad :)

This is a cool library that you have created here, and I have adopted it (with some changes and refactoring) to a project of mine.
I was however wondering what the purpose of checkSignature.sh file is?
I get it - it validates the signature. But we just created that signature ourselves on our server using our zip file.
So why would we want to validate it?
The end user (client) wouldn't use this file anyway, so I am confused as of why we as the "owners" would use it.

Then out of curiosity I run it, and surprisingly it told me that the signature was invalid (something with "tabs incorrect")
I am pretty sure the signature is valid as I had just created it, and also the entire process works just fine.

Mind to shed some light?

---

A few details

• I noticed that updateDB.sh uses (probably) windows EOLs and throws errors when used (on unix systems).
  Simple trick here was to resave the file using an IDE and set the EOLs to unix instead. Perhaps worth a note on the readme?
• Further I thought it might be useful to the new users to get a heads up about file permissions on the server. By default, servers would save all files with public read permissions (644). In my case, being a bit paranoid, I used these permissions (all files owned by a dedicated user, not root):
  createKeyPair.sh 400
createSignature.sh 500
db.json 644
hash 600 (I amended the createSignature.sh file to include a chmod 600 hash on line to to achieve this automatically)
  index.php 644
private_key.pem 600
public_key.pem 644
signature 644
updateDB.sh 400
  This seem to be the least required capabilities to have the system working.

Thanks for the work you did on this, it was a great kickstarter for me.