Force, block and accept addons?

[andersson 285]

I been trying to find information about addons and dedicated servers.

What I want is to have 1 or 2 modfolders that is forced upon the players, they need them to be able to connect. The modfolders have to be identical to the server's.

At the same time I want them to have the possibility to have one modfolder where they can put addons of their choice, but only from a list of accepted addons.

How to do this?

I know that I can force players to use the identical setup as the server, but that blocks the modfolder with addons of their choice.

I know that I can use checks to make sure they are only using addons that are accepted, but how to force them to use needed addons?

How to combine the two of them?

[Defunkt 431]

I believe...

CheckFiles[] = {"HWTL\dta\data3d.pbo", "dta\data3d.pbo"};

...might be turned to this purpose by adding more files to the array. Not sure which of the server-side script actions (OnUnsignedData / OnHackedData / OnDifferentData) would be called on a failed check as I've never tried to set this up. If you have any joy with it please post a how-to.

The simple way (but the way which requires ongoing maintenance) would be to open each mission on the server and reference the required addons within these instead.

[andersson 285]

Ok. But how to limit the users to a set list of accepted addons? A list of addons they can use if they want to?

Examples of addons like that is addons that help performance. If I put them in the checkfiles array they are needed by all, I want them to be optional.

At the same time block other addons and force some on all..

[Defunkt 431]

Optional addons are handled by VerifySignatures = 1; just add the keys for the permitted addons to the server's keys folder.

[andersson 285]

Aha, so CheckFiles is what is as minimum required? So if I put all required files there all user without them cant join?

So I have VeryfySignatures=1 so all addons need to be accepted (both required and accepted), then I add the required addons to the CheckFiles array?

Thanks, exactly what I needed to know!

[Defunkt 431]

That's the theory though I've not read of anyone using CheckFiles successfully yet. As said, if you do let us know how, if not you can always add the addons as mission requirements instead.

[Taxman 10]

I always thought that checkfiles was just to make sure the client hadnt edited anyhting they shouldnt ? just a filechecker to keep the NOOB cheats away.. the serious ones can bypass it anyway.. nowt to do with your addons/mods etc... .... although im very often wrong lol..

[walker 0]

Hi andersson

Check files is I think depreciated, slow and outdated as it compares every bit of a file on every client on against what is on the server. Do not use it.

The new method is VerifySignatures = 1

Just use that.

It is explained in the BIS wiki

http://community.bistudio.com/wiki/server.cfg

Kind Regards walker

Edited February 13, 2010 by walker

[Defunkt 431]

VerifySignatures isn't enough to do what he wants, specifically make certain addons mandatory.

[Deadfast 43]

Required addons are defined in the mission files.

[walker 0]

VerifySignatures isn't enough to do what he wants, specifically make certain addons mandatory.

Hi Defunkt

You are incorrect.

Player cannot do any of the following if he wants to pass signature verification:

modify signed addons

use unsigned addons

use addons which are signed, but not by an accepted signature

http://community.bistudio.com/wiki/ArmA:_Addon_Signatures#What_is_checked

My use of bold in quoted text in order to emphasize that you cannot use any file without a signature.

You make an addon mandatory by putting it in with a Signature.

Ask Terrox of Zeus how to do it. Zeus have a required and optional addons setup.

Kind Regards walker

Edited February 13, 2010 by walker

[Defunkt 431]

No walker, you are incorrect. A signature only permits an addon it does not make it mandatory.

---------- Post added at 07:53 AM ---------- Previous post was at 07:38 AM ----------

More on CheckFiles, it seems you can check a single file from an addon pbo so you can just test (for instance) the config.bin/config.cpp within the addon (using its pbo prefix). In this way you could enforce its presence but rely on VerifySignatures to ensure it hasn't been tampered with.

I'd be tempted to clear the default entries in the array, one at least looks like an OFP leftover. I think perhaps this might be why the OnDifferentData server action is empty by default.

[walker 0]

No walker, you are incorrect. A signature only permits an addon it does not make it mandatory.

---------- Post added at 07:53 AM ---------- Previous post was at 07:38 AM ----------

More on CheckFiles, it seems you can check a single file from an addon pbo so you can just test (for instance) the config.bin/config.cpp within the addon (using its pbo prefix). In this way you could enforce its presence but rely on VerifySignatures to ensure it hasn't been tampered with.

I'd be tempted to clear the default entries in the array, one at least looks like an OFP leftover. I think perhaps this might be why the OnDifferentData server action is empty by default.

Hi walker

You are correct. I am wrong!

However checking giant files is a problem as you acknowledge. Your suggested method of checking each addons config while faster than the whole file check is still a lot to check and a giant list in checkfiles; thus a lot to go wrong.

A simpler solution is to checkfile the signatures!

Better still would be to make a master signature and checkfile that!

Kind Regards walker

Edited February 13, 2010 by walker

[galzohar 31]

Yeah, it seems like currently it is a bit messed up. However, most addons that people would want to be required for their server also include those addons in their missions and those missions thus depend on those addons and the player will get kicked if he doesn't have them anyway.

If you want to, say, force someone to use a specific sound mod, then you're going to have a problem (unless it is possible and are willing to edit your missions to require it), but stuff like ACE become a requirement as soon as your mission uses any ACE unit, and islands are automatically a requirement for missions on that island.

As said, signatures are only meant to prevent use of unapproved addons.

[Defunkt 431]

Checking the signatures is a good idea and would save having to dig into the pbo for a path prefix.

[SWAT_BigBear 0]

If only it could do as say, BF2 when going from SP to MP, it shuts down and reopens .exe's.

[walker 0]

Hi Defunkt

I wonder whether we could make a signature from signature files, thus inheriting trust?

This would then remove the need to checkfile at all.

The math in it is interesting.

Kind Regards walker

Edited February 14, 2010 by walker

[andersson 285]

Thank you all for interesting input, I think I asked the right question.

Checking signatures doesnt mean that the user has the addon. I can dump the signatures in there (then why anyone would want to do that is beyond me, Im just thinking loud..).

But seriously, I think that is one possible way. Small files shouldnt take that much time.

Some background for this: On the server I play I put up the possibility to use YAS. I also gave 2 different solutions for the group to get the needed files. Still they join up incomplete and we have to choose missions depending on what island they have... So thats why I want to force check.

So signature check and checkfile the signatures. Not bad.. Gonna try and see how long it takes to join. Cant do it now though.

edit: I must meditate abit on the signature for signatures.

[Defunkt 431]

Well I've just had a play with this and while CheckFiles dutifully reports on missing files none of the documented server events seems to be called in response. So given...

CheckFiles[] = {"x\acexpla\addons\main\config.bin"};

...if I join without ACEX_PLA a message is then printed saying...

deFUNKt uses modified data file - x\acexpla\addons\main\config.bin

...but none of OnUnsignedData, OnHackedData, OnDifferentData or RegularCheck seem to be called in response so as far as I can tell the test has no teeth (unless an admin is on to kick somebody in response).

[andersson 285]

So is there anyway to force addons? It seems like no if that is true?

[Defunkt 431]

De-pbo each mission and create the dependency there before you add it to the server. This could actually be automated with a batch file.

[walker 0]

De-pbo each mission and create the dependency there before you add it to the server. This could actually be automated with a batch file.

Hi Defunkt

I had a thought. Create a dummy file with all possible addon dependencies in it then create signature from that!

Though I too will have to meditate on the logic of that; I think as it is a dummy it will not work. As someone could copy it across without having the other files. Same I think goes for your suggestion. :(

I think the signature of signature files is the best solution.

Time to suck it and see I think.

Logically as far as I can tell the signature of signature files is sound.

All Sigs are checked including the concatonated signature of signature files.

Edit

I just checked the mathmatics of the method "signature of signatures" is known, accepted and used in industry!

You know between us I think we might have solved this one. :)

The only question now is does the BIS signing tool allow us to create such master "signature of signatures"

Kind Regards walker

Edited February 14, 2010 by walker

[Defunkt 431]

Sorry I don't follow, signatures are only tested (when VerifySignatures = 1) when loading pbo's (merging content into the game's file space), a signature of a signature will never be checked as part of that process. A signature (or a signature of a signature if desired - not sure to what end though) might be tested with CheckFiles but as far as I can see a failed check will only result in a chat message.

If one were tenacious, a combination of BinPBO, De-PBO and Swiss File Knife could turn inserting addon dependencies within a mission file into a drag and drop operation with a batch file but I lack the time to attempt this right now.

[walker 0]

Hi Defunkt

If as you suggest a signature of signatures would not be checked because it is not a signature of a pbo just add a pbo to the list of files that create the signature.

Kind Regards walker

[cross 1]

So is there anyway to force addons? It seems like no if that is true?

It is an old and cosmetically very restrictive and limited method but you can try

equalmod=1 in your server config coupled with verifysignatures=1

Also add ...

onDifferentData = "kick (_this select 0)";

With equal mod, a client MUST use have the modline = to the modline in the server. If Client renames a folder but have the same mod files in it, IT WILL KICK the client. So very very restrictive in terms of "looks". It does not check files in the modfolder though so it must be coupled with verify signatures.

Not used eqmod for a very long time so IIRC it does not allow mods loaded in different order ie -mod=@mod1;@mod2 is NOT equal to -mod=@mod2;@mod1 and you'll be kicked. So it is cosmetically very strict.

So best solution would be to provide clients the exact modline to be used while connecting or if they are using YAS they should use what they see as the server modline.

You can give the below a try too but you may need to tweak the condition part as not sure what checkfile returns so assumed 0 and 1. Hope it returns 0 if file not found.

The first 0 is the level of check.

onUserConnected="if((0 checkfile [_this select 0,"@ACE/addons/ace_version.pbo"])=0) then {kick (_this select 0);};";

Edited February 14, 2010 by Cross