I need to provide an update to application data as a download from a website. The update would actually just be the replacing of some data files with some updated ones.
The update, which I assume would be some sort of setup package type program, would need to be able to do the following:
access the file system and registry
to determine where files should be
copied to
supply the files to be copied
provide strong security so the data files cannot be downloaded or used by the wrong people
What would be best way to achieve all of the above?
I would suggest to use either
Java Web Start, for Java
ClickOnce Deployment, for .NET
These technologies are meant to distribute software over networks.
(I think that developing something similar yourself can turn to be something rather complicated.)
There are a number of comprehensive update manager and delivery services available from commercial software vendors if you don't want to write something from scratch yourself.
TrueUpdate
InstallShield
ClickOnce
... plus more, I'll leave you to research yourself :)
Your choice will depend on your chosen language, existing setup methods, targeted operating systems and budget.
We just use standard MSI installers/upgrades and wrote our own update manager/update delivery service. You'll need to weigh up own resources and development expense to decide if it's worth purchasing a commercial product, or developing something in-house.
I've used AdvancedInstaller - a very capable free version is available. It is a fully-fledged MSI installer, so it can read/write to the registry and install files to "Program Files" that normally requires admin privileges. It also supports application updates out of the box. You can publish updates and have them automatically downloaded and installed.
As to security, this is not really the realm of an Installer but part of the webserver where you host the files. You could use a password protected folder, or for stronger prevention, client SSL certificates. The latter would work well with automatic updates.
An alternative is to string together a solution from a number of readily available components:
use a batch file to perform the download that is executed regularly. You can schedule batch files using the Windows Task Scheduler.
The batch file will use the Windows REG command to read values from the registry, and use those values to invoke rsync. rsync is a file synchronization command that can be run through ssh. If you configure ssh with public key authentication, you restrict access to specific clients of your choosing, while allowing automated access (no password required.) The key with rsync is that if the files are up to date, no download is performed.
This article explains how to sync files from a server to a notebook using rsync and ssh, and explains how to set up rsync and ssh using Cygwin.
See also
Windows REG command
ssh (Wikipedia) and openssh manpages.
rsync manpage
Related
So i have a scenario where i am using a ISS file to install an instance of oraclexe on windows systems.
It works for all machines with "Administrator"(localadmin) rights.
However it is failing on domain user logins(these logins are part of the Administrators group).
When i install the oracle separately on that machine we get the install fine.
My doubt is that the installer response file is old and was likely recorded on a Administrator login.
Can that be a possibility.
Application Repackaging: In corporate settings one often resorts to application repackaging to deal with legacy setup.exe
setups, and this is usually exactly because of their problematic
behavior in silent installation scenarios. I describe this process
here:
How to monitor and log manual installation
(section "Capture / Repackaging").
Technical Details: At a technical level Application Repackaging is shockingly simple in its approach. It involves scanning the system
before install and after the install and then capture the changes,
clean out a lot of junk settings and wrap the finished, new installer
in an MSI package (or some other format). Despite the technical
simplicity, the quality of such packages depend a lot on the knowledge
of its creator. Badly packaged MSI files can be loose cannons.
Package Format: Application Repackaging can be done in various formats, but the established MSI format (Windows Installer) has
a number of benefits for corporate use centering around reliable silent running and reliable remote management - arguably the
most important aspects of corporate deployment. Please see this answer
for some more details:
How to create windows installer.
Once you have an MSI you install it silently using standard
msiexec.exe command lines.
Tools: Commercial tools Advanced Installer and Installshield are the most well-known repackaging tools. They are
quite pricey. Sometimes people pay deployment consultants to do the
single package they have to convert. Very advisable in terms of the
knowledge needed to succeed as well. List of repackaging tools from
installsite.org.
Technical Limitations: Repackaging has limitations. Localization (support for different language versions) is one problem area - you capture the English version, so where are the
German files for the German version? That kind of stuff. These issues
are always different from setup to setup. It is reverse engineering to
be honest. Also, dynamically generated content that is
machine and user specific such as license keys, certificates, database connection strings with machine names and similar means you
might have to do a lot of work to get things to operate correctly, and
sometimes it is even technically impossible. It is a black art, but
when done right MSI files of excellent quality results that deploy
silently without much drama.
(Re)Packaging Team: Many corporations have whole teams dedicated to capturing and preparing legacy and modern setups for large scale
deployment. Many of them are offshore and unknown to most employees. I
would check if your company has such a team.
Logging?: What does the log files say? Is this a legacy setup.exe installer or does it install an MSI file under the hood? I would also check the system's event log for any clues - especially if you don't have a good log file. There should be a default Setup.log file created in the same directory and with the same name (except for the extension) as the response file.
The /f2 parameter can be used to specify a different log path:
setup.exe /s /f2"C:\Setup.log"
Here is a Flexera article on the subject of silent installation: https://resources.flexera.com/web/pdf/archive/silent_installs.pdf
And the most common silent install with logging command line:
setup.exe /s /f1"C:\sample\uninstall.iss" /f2"C:\sample\uninstall.log"
Response Files: The honest truth is that silent response files have never been reliable to achieve silent running. What often happens is that a special dialog pops up that was never recorded in the response file run, and then it all falls apart. This can be a "low disk space" warning or some other form of unexpected, random dialog that nobody predicted could show up.
Unexpected Dialog: Accordingly there could indeed be something different showing up when you install as domain users that are members of the admin group, although I can't really think of anything in particular that springs to mind as a likely candidate. I suppose the issue could also be one of privilege and access nonetheless. There could be certain NT privileges that are denied accounts in the standard user list for example. All just theories, I would go for the logging to get something concrete to start with.
Installshield Help File:
There are several relevant sections in the Installshield help file.
Please study these if you need more tweaking of the installation parameters. All switches are documented here - these links are for
the 2018 edition of Installshield:
Setup.exe and Update.exe Command-Line Parameters (Basic MSI, Installscript MSI)
Advanced UI and Suite/Advanced UI Setup.exe Command-Line Parameters (Suite Projects)
Some Links:
Uninstalling an InstallShield Installscript MSI program using C# silently
Create MSI from extracted setup files
I am using an Inno Setup Tool to pack/setup all my files (dll, exe, jpg, etc).
But I found that there is a software called InnoExtractor which can really open my setup and read all the scripts and also extract all the files, since I need to hide/protect my files in setup I spent a lot of time/efforts to secure my setup.exe which was generated from Inno Setup, but I found some people saying add a password to Inno Setup Script, but this is also a wrong because the client knows that password and he can simply use InnoExtractor and extract everything even it was protected by Password! is not it!?
Now, I just ask if there someone can suggest me to solve this problem. In fact I embed XML files and DLL which is used to install specific files at client side according to the client machine, but if the client extract all DLLs to his machine then it will be a catastrophe! I need a way to prevent the client from seeing/extracting my setup.exe!
There's no way to protect code from an user, if you need to be able to run the same code on the user's machine. Once you deliver files to client's machine, no matter what method you used to pack them, the client can extract the files.
You can only make it harder, but there's no absolute solution.
More standard tools you use, more easy it is to decompile the code. If you want to make decompiling hard, make your custom installer, instead of relying on a standard installer tool (like Inno Setup).
Probably the only safe way is to use some online service.
You can encrypt the files with some very strong cipher (each file/DLL with a different encryption key). The installer will ask the user for some password, and will send the password to some online service. The online service, after verifying the password, will send back a decryption key for the DLL that you allow the client to install. This will allow the installer to decrypt only the DLL for that client.
Another alternative is that the installer will actually download the DLL from a server, only after you verify the client.
There's no way to 100% protect your installer from an attacker. If someone want to crack it then it can do it.
What you can do:
1) Encrypt the files with some custom (3rd party) system or use [Setup] Encryption directive
2) Modify Inno Setup - download sources, change them and compile again
3) Place sensitive files and data on server and download them during setup (+ encrypt)
4) [Code] section cannot be entirely unpacked, place some calculations or file operations there
Looking for suggestions on how to go about the following, i.e what would be the best language to do it in etc, third party tools are a no :(
I've been tasked to create some sort of windows shell/command line interface that will allow a standard users to install a specific set of applications (configurable by administrators) (installation requires Admin/UAC elevation) due to security restrictions the user cannot have elevated privileges so they'll be able to run the shell as a standard user and it would have hidden/encrypted credentials built in to run the installs as.
Some of the requirements are as follows:
It would need to work on Server 2008 R2, 2012 r1 and 2012 r2
The credentials used to perform the install would have to be hidden (encrypted) from the end user.
Ideally it could work by us providing some config to it prior to handing that server over to the customer and limit what it could be used to install to a particular .exe or .msi (so we know of a need to install an app, we are advised of the name of the install and can logon and can enter it into a form maybe so only that app can be installed, then hand the server over to the customer who runs the same utility or shell extension or whatever and can then install their app.
Even more ideally it was more intelligent than that and some means of ensuring any .msi was indeed installing the application that the msi name related to (seems unlikely but just in case a normal user created an .msi to grant himself further admin access as per http://blogs.technet.com/b/fdcc/archive/2011/01/25/alwaysinstallelevated-is-equivalent-to-granting-administrative-rights.aspx )
Ideally its lifespan would be limited in terms of time (unsure if this could be for example to x number of days).
Any pointers on how to go about this, seems like a good challenge :)
Thanks for reading all that!
Mike
Thanks for the responses,
I managed to do this in C#, with no prior experience in the language :)
The application has 2 parts to it, a GUI and a service. It works by having the application send an install command via IPC to it's counterpart elevated service. (Thanks Hans Passant for pointing me in the right direction there). The service initiates the installer under it's own elevated account but displays the installer GUI on the users session. Files are HMACSHA1 checksum validated prior to install, on both the app and the service.
Thanks,
Mike
If a user requires the ability to install application in the Program Files folder, then instruct the domain administrator to give Full Control of the Program Files folder to Everyone:
Just because the default setting forbids standard users from modifying programs, doesn't mean you have to keep it that way. Windows is a secure operating system that gives you the capability to keep it secure.
If your administrator only wants some users to be able to modify the contents of the Program Files folder, then only give that permission to certain users.
The better solution is to re-design the applications so that they do not install in a (by default) protected location. Have them instead install in:
%APPDATA_LOCAL%\Contoso\Frobber\Grob.exe
e.g.
D:\Users\Ian\AppData\Local\Contoso\Frobber\Grob.exe
A user is always allowed to write anything in their own profile folder.
I am working on a VB6 application which has many executable and an Active X dlls.
And there are to be updated in c;lient machines to lates version once in a while which i am asking the user to update manually.
Can you please suggest me a way using which i can update it automatically from the files that can be available online.
Thanks.
Windows Installer has features supporting Patching and Upgrades. Using those techniques you can create various levels of "upgrade" packages.
Your application would need a separate "update" utility that is spawned when the user approves updating, perhaps in response to a prompt your program raises after checking for new versions.
This updater would check the current version and the remote site's catalog of updates to pick the appropriate package, download it to a temporary location, start Windows Installer to process the package (or packages, sometimes you might need to run several Installer runs), and clean up the temp location. Then you might offer to restrt the updated application or on some occasions need to reboot.
This updater would be a fancy form of the common "installation bootstrapper." As you can tell it needs some "smarts" in order to tell what package or packages to download and install in what sequence, when it needs to request rebooting, etc. This would probably be based on a downloaded "rules script" it obtains as part of selecting a valid update option.
After all, sometimes you can just apply a minor upgrade or patch upgrade, sometimes you need a more complete install or entire reinstall.
If your needs are extremely simple (just an EXE and maybe a few DLLs and OCXs - preferably using reg-free COM) you may not need to go to these lengths. However when you start adding in other considerations like multiple programs, data directory creation and security settings, possibly running a settings file conversion or even database conversion, DCOM, firewall, etc. configuration, database drivers or providers, etc. things get complicated quickly. Too complicated for simple snatch and grab updating.
And admin rights/UAC issues are a factor so you'll probably have to deal with privilege elevation.
None of this is trivial stuff. There are people who do little more than construct and test such deployment systems as their entire job.
If you use soemthing like Inno setup to install the application then an update is simple a matter of running that periodically.
You can either detect there is a new version available by checking a web site/local server, or just prompt to run the update after X days.
I am developing a webapp that will be used on LAN mostly. I have different locations where I deployed this app. Some of the locations run windows and some run linux (no x-window system). I need to know if there is a software out there that could easily synchronize my files stored somehere in the cloud (the clouding service can be provided by the app developers or to use different clouds) on both linux and windows machines. My english is a bit rusty so i'm going to explain this in simple words.
I will work on my local machine. I want to upload the files somewhere on the cloud and the clients installed on the LAN servers should synchronize the files. The client must be available for linux under console (as a daemon if possible) while on windows it can be something like dropbox or ubuntu one.
Does somebody know of such an app?
Dropbox is available for Linux.
You could also investigate unison.
I think "Git" is the best solution to develop your project in different machine.
You can sync your code with easy command through this app, and it will record all the version of your code.
Just google "Git tutorial", and you will find many useful introductions.
I think there is a great tool called Syncthing should be considered after 8 years.
https://syncthing.net/
Syncthing is a continuous file synchronization program. It synchronizes files between two or more computers and replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it's transmitted over the internet.
Check the list of Syncthing's goals for more details.