site_archiver@lists.apple.com Delivered-To: installer-dev@lists.apple.com Seven silly swans? TIA! -- Rick _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/installer-dev/site_archiver%40lists.a... We have a product (call it "KC", currently a prefs pane/agent) that gets installed the first time by the user downloading a .dmg, running the installer, authenticating, and everything is fine. This product communicates with a server product we sell. When the server updates, there is the potential for there to be a new KC to be available, and the old version installed no longer works. We have a strong desire for the installed version to automatically, and silently, update to the newer version. We've found a way to do this, using helper tool and setuid, etc. But, I believe it becomes a huge security hole. The helper tool must be passed a path to something, either the new installer package, or another app to run (in case we move away from Apple's installer in the future). In all cases, this poses a security risk, because someone can pass arbitrary paths to this same app. It seems that it should be possible to sign the various elements in order to make this process secure (the helper could validate the signatures), but I'm not sure of the best way. Recommendations? And please refrain from recommending against the silent update. I'm fighting that battle internally, but have to find solutions to the desired behavior in the meantime. This email sent to site_archiver@lists.apple.com