How To Write an Automatic Update System Part 3 – Finding The Update

This is part 3 of a series, previous posts: part 1 ,part 2.

In part 1 I presented a quick hack of an auto-update feature, In this part I'll describe a real auto-update component, and one that can be implemented very quickly.

The first thing our auto-update component has to do is detect when an update is available, since we don't have much time to implement this feature (we have a lot of other more visible features we want to finish for this version of the software), we will take the easiest option possible – store a small file on the web site with details about the update.

This file can be XML – so we can use our platform XML parser and XPath implementations (that way we don't have to write code to parse the file and find the updates details in it).

We can have a file per version, per application or just one file for all the applications published by the company, it doesn't really matter – the important part is that the application has to be able to get to the file and read the relevant data.

The yaTimer updates file is an XML file with a list of updates, each update in the file contain 6 pieces of information:

  • Application name – because the file contains updates to all applications published by NBD Tech. Obviously if you have a file per application this data is not needed.
  • From Version – the version this update can be applied to, yaTimer uses the combination of application name and from-version to find the relevant update in the file. This data is only needed if you plan to have different upgrades for different versions (one upgrade program to upgrade from version 1 to version 3 and another to upgrade from version 2 to version 3).
  • To Version – this is the version the application will be upgraded to, this is displayed to the user when asking permission to upgrade.
  • Description – A long text that is displayed to the user when asking permission to upgrade, this text is used to tell the user what's new in the new version so he/she knows why to upgrade.
    You can make your work even easier by having this text in a web page and just have a button (with a descriptive text like "Details") that will open this web site – or even omit this entirely.
  • The Url of the file that contains the update – for yaTimer each update is packaged in a zip file, this means just one file per update and that the file is usually small. If you package your update differently you may need a list of files.
  • And last but certainly not least the digital signature for the zip file, see part 2 of this series as to why this is important. Obviously the digital signature can be stored in a different file or embedded in the update package itself – just make sure you can validate the signature without processing the update file (if, for example,  you have to unpack a zip file before verifying the signature an attacker might try to feed your program a malformed zip file that exploits a bug in your zip unpacking library, but if you can verify the signature before unpacking, you will never pass that malformed file to the library in the first place).

Now the application has all the information it needs to download and install the update, and this will be the topic of the next post in this series.

posted @ Tuesday, June 26, 2007 3:47 PM

Comments on this entry:

No comments posted yet.

Your comment:



 (will not be displayed)


 
 
Please add 4 and 2 and type the answer here: