dmarkwick 261 Posted September 20, 2007 There seems to be a need for a general signatures discussion thread, allow me to kick one off starting with a quote from Q: The signature system is meant actually quite different (as far as my understanding goes of course). Every addon which can be used in MP should have a public signature from the original author. The signature should be bundled to the addon (in the download / zipped file) itself or only be available on trusted sites (gathering CRC sums for signatures would be a good idea IMHO to verify the authenticity of the signature file. Maybe OFPEC would be a good place for gathering those). Now with the signature file every server admin can dedice whether he wants to explizitly allow the addon/every file signed with the given key on his server (by putting the key on his server) or not (by not doing it). Via server side scripting one should be able to do additional logic on unsigned data, like "if addon name == xyz, no action, else kick user" etc. (onUnsignedData - params: user id, file name) --- So from my understanding a few thoughts: 1) If an addon maker signs his xxx different addons with the same key, they can be allowed and disallowed only as a whole. So it seems better to have one key pair for every addon. 2) Once you update an addon, you could just use the original private key to sign it again. However this sounds like a bad idea to me. If you sign the addon with a new key, a server admin could disallow (= not allow // not having the key file on the server) outdated versions of an addon and allow only the latest version of the addon. 3) Based on the patching topic a nice addition to the system would be a disallowKey folder on the server, where an admin could move the outdated keys of outdated addons. By this one could handle any addon specificly. Otherwise for now the system works on not putting the key file on the server and disallow every unsigned addon or use server side scripting for that (if its possible at all). So this idea would help to manage outdated and unwanted _signed_ addons very much! reference: http://community.bistudio.com/wiki/ArmA:_Server_Side_Scripting http://community.bistudio.com/wiki/ArmA:_Addon_Signatures PS: We haven't done testing on this yet. So this is just assumtion on my side based on the info available. No guarantee on my statements though! Sorry for any unlogical or bad thinking on my side. PSS: Certain aspects of best cheat protection and handling is still to be developed. Edited by Q on Sep. 20 2007,14:52 To which I responded: Once you update an addon, you could just use the original private key to sign it again. However this sounds like a bad idea to me. If you sign the addon with a new key, a server admin could disallow (= not allow // not having the key file on the server) outdated versions of an addon and allow only the latest version of the addon. This sounds like a good idea and a bad idea to me I can see how updates to some addons can vary quite a lot between versions, even causing quite dramatic differences in what each players see. However I don't think we need a situation where rapidly developing addons constantly need to generate new keys for each new version. I wish there were a system of key + version number perhaps. I think we need a separate thread for this topic Share this post Link to post Share on other sites
cross 1 Posted September 20, 2007 key-version combination actually means creating multiple signatures. create a sig as matt-effectsv1.bikey then matt-effectv2.bikey and servers take the first one out and use the second one or keep both if they are happy. But this would be sig-whoring as Q said.. another pro to this is a server may not want to use some other addons from Matt. So the best thing i guess would be to create multiple signatures like.. matt.bikey (universal) matt-effectsv1.bikey matt-effectsv2.bikey (latest) matt signes all his addons with matt.bikey matt signs relevant addon with relevant bikey. So..matt issues 2 signatures (for his effects addon) signed by 1)matt.bikey and 2) matt-effectv2.bikey and any server who is wlling to accept anything that might come from matt would put the "matt.bikey" (bc matt would sign all his addons with this) or just puts the "matt-effectsv2.bikey" if wants to limit to the effects only.. PS..saw it afterwards Share this post Link to post Share on other sites
MEDICUS 0 Posted September 20, 2007 Wouldn't it be possible to check this via for example MD5? Share this post Link to post Share on other sites
rundll.exe 12 Posted September 20, 2007 Wouldn't it be possible to check this via for example MD5? http://www.flashpoint1985.com/cgi-bin....1154795 EDIT: there is this similar thread in MP already with some good explainations, so no need ofr thisone I guess? Share this post Link to post Share on other sites
cross 1 Posted September 20, 2007 i agree..followup under dsutils topic under MP and delete this one Share this post Link to post Share on other sites