Hey all,
I've been curious about the possibility of usurping the built-in Software Update client to install custom updates of my own making (i.e., Bash 4.x, etc).
Today I started poking at Software Update and found that on Tiger and Leopard, it actually uses plain HTTP to download the update indexes, and even adheres to the system HTTP proxy settings, so it was easy to snoop on which URLs it was hitting.
However, upon examining one of the update files (a tar file), it includes a "signature" file, which is 512 hex characters, indicating a 2048-bit signature.
Has anyone ever tried feeding an unsigned update to Software Update? My guess is that it would be rejected.
I'm also guessing that a 2048-bit signature indicates the signing mechanism is too modern to crack.
Perhaps the easiest route would be to modify the Software Update binary to defeat the signature verification check?
Has anyone poked at this before?
I've been curious about the possibility of usurping the built-in Software Update client to install custom updates of my own making (i.e., Bash 4.x, etc).
Today I started poking at Software Update and found that on Tiger and Leopard, it actually uses plain HTTP to download the update indexes, and even adheres to the system HTTP proxy settings, so it was easy to snoop on which URLs it was hitting.
However, upon examining one of the update files (a tar file), it includes a "signature" file, which is 512 hex characters, indicating a 2048-bit signature.
Has anyone ever tried feeding an unsigned update to Software Update? My guess is that it would be rejected.
I'm also guessing that a 2048-bit signature indicates the signing mechanism is too modern to crack.
Perhaps the easiest route would be to modify the Software Update binary to defeat the signature verification check?
Has anyone poked at this before?
