Updating applications using migration signatures

US 10,459,711 B2
Filed: 08/12/2008
Issued: 10/29/2019
Est. Priority Date: 08/12/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for improving security by securely changing certificate information of an installed software application, the method comprising:

receiving an installation file to update the installed software application, wherein the installed software application is digitally signed with a first signature that certifies a previous application publisher, and further includes certificate information that identifies the previous application publisher, and wherein the installation file is digitally signed with at least a second signature that certifies a new application publisher;

determining that the received installation file digitally signed with at least the second signature is further digitally signed with a migration signature that matches the first signature to confirm that the received installation file includes a valid update signed by the previous application publisher;

updating the installed software application based on the determination that the received installation file is digitally signed with the migration signature that matches the first signature, wherein the updated software application is digitally signed with at least the second signature that certifies the new application publisher; and

changing the certificate information that identifies the previous application publisher to updated certificate information that identifies the new application publisher, based on the determination that the received installation file is digitally signed with the migration signature that matches the first signature, such that valid updates to the updated software application can only be signed by the new application publisher.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, in one aspect, an installation file digitally signed with a first package signature is received. It is determined whether the received installation file includes a migration signature that covers the first package signature and that matches a second signature associated with an installed software application, to confirm that the received installation file includes a valid update related to the installed software application. The installed software application is updated from the received installation file when the migration signature is included.

Citations

27 Claims

1. A computer-implemented method for improving security by securely changing certificate information of an installed software application, the method comprising:
- receiving an installation file to update the installed software application, wherein the installed software application is digitally signed with a first signature that certifies a previous application publisher, and further includes certificate information that identifies the previous application publisher, and wherein the installation file is digitally signed with at least a second signature that certifies a new application publisher;
  
  determining that the received installation file digitally signed with at least the second signature is further digitally signed with a migration signature that matches the first signature to confirm that the received installation file includes a valid update signed by the previous application publisher;
  
  updating the installed software application based on the determination that the received installation file is digitally signed with the migration signature that matches the first signature, wherein the updated software application is digitally signed with at least the second signature that certifies the new application publisher; and
  
  changing the certificate information that identifies the previous application publisher to updated certificate information that identifies the new application publisher, based on the determination that the received installation file is digitally signed with the migration signature that matches the first signature, such that valid updates to the updated software application can only be signed by the new application publisher.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first signature is associated with a self-signed security certificate, and wherein the second signature is associated with a certificate issued by a certificate authority.
  - 3. The method of claim 1, wherein the first package signature is associated with a first public signing key, and the second signature is associated with a second public signing key that is different than the first public signing key.
  - 4. The method of claim 1, wherein the determining comprises:
    - determining a match between a first identifier generated from the migration signature of the received installation file and a second identifier generated from the first signature of the installed software application; and
      
      based on the determined match, determining that the update is valid and signed by at least the previous application publisher.
  - 5. The method of claim 4, wherein the second signature and the first signature are associated with different public signing keys, and wherein the method further comprises:
    - determining a match between the migration signature of the installation file and the first signature of the installed software application; and
      
      updating the installed software application utilizing the received installation file based on determined match.
  - 6. The method of claim 5, wherein determining the match is based on another match between a first identifier generated from the migration signature and a second identifier generated from the first signature of the installed software application.
  - 7. The method of claim 1, wherein the software application is installed and updated in a cross-platform runtime environment.
  - 8. The method of claim 1, wherein the received installation file is configured to associate the installed software application with the new application publisher instead of the previous application publisher.
  - 9. The method of claim 8, wherein the received installation file is further configured to associate the installed software application with the new application publisher, such that future updates to the installed software application must be signed by the first package signature.

10. A system for securely changing certification information of an installed software application configured to operate within an application runtime environment, the system comprising:
- a processor; and
  
  a non-transitory storage medium coupled with the processor, the non-transitory storage medium including instructions operable to cause the processor to perform operations comprising;
  
  receiving an installation file to update an installed software application, wherein the installed software application is digitally signed with a first signature that certifies a previous application publisher, and further includes certificate information that identifies the previous application publisher so that valid updates to the installed software application can only be signed by the previous application publisher, and wherein the installation file is digitally signed with at least a second signature that certifies a new application publisher;
  
  determining, within the application runtime environment, that the received installation file digitally signed with at least the second signature is further signed with a migration signature that matches the first signature to confirm that the received installation file includes a valid update related to the installed software application signed by the previous application publisher;
  
  updating the installed software application based on the received installation file being digitally signed with the migration signature that matches the first signature, wherein updating includes changing the certificate information to identify the new application publisher instead of the previous application publisher based on the determination that the received installation file is digitally signed with the migration signature that matches the first signature,so as to validate future installation files digitally signed with the second signature.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the first signature is associated with a self-signed security certificate, and wherein the second signature is associated with a certificate issued by a certificate authority.
  - 12. The system of claim 10, wherein the first signature is associated with a first public signing key and the second signature is associated with a second public signing key different from the first public signing key.
  - 13. The system of claim 10, wherein the determining comprises:
    - determining a match between a first identifier generated from the migration signature of the received installation file and a second identifier generated from the first signature of the installed software application.
  - 14. The system of claim 13, wherein the second signature of the received installation file and the first signature of the installed software application are associated with different public signing keys, and wherein the operations further comprise:
    - determining a match between the migration signature of the received installation file and the first signature of the installed software application; and
      
      updating the installed software application utilizing the received installation file based on the determined match.
  - 15. The system of claim 14, wherein determining the match is based on another match between a first identifier generated from the migration signature and a second identifier generated from the first signature.
  - 16. The system of claim 10, wherein the software application is installed and updated in a cross-platform runtime environment.
  - 17. The system of claim 10, wherein the received installation file is configured to:
    - at least associate the installed software application with the new application publisher instead of the previous application publisher.
  - 18. The system of claim 17, wherein the received installation file is further configured to associate the installed software application with the new application publisher, such that future updates to the updated software application must be signed by the first signature.

19. A computer program product, encoded on a non-transitory storage medium, operable to cause a data processing apparatus to perform operations for improving security by securely changing certification information of an installed software application, the operations comprising:
- receiving an installation file to update the installed software application, the installation file being digitally signed with a first signature that certifies a previous application publisher, and further includes certificate information that identifies the previous application publisher so that only updates signed by the previous application publisher are valid, and wherein the installation file is digitally signed with at least a second signature that certifies a new application publisher;
  
  determining that the received installation file digitally signed with the second signature is further digitally signed with a migration signature that matches the first signature to confirm that the received installation file includes a valid update signed by the previous application publisher;
  
  updating the installed software application based on the determination that the received installation file is digitally signed with the migration signature that matches the first signature; and
  
  changing the certificate information that identifies the previous application publisher to updated certificate information that identifies the new application publisher, based on the determination that the received installation file is digitally signed with the migration signature that matches the first signature, so that only updates signed by the new application publisher are valid.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer program product of claim 19, wherein the first signature is associated with a self-signed security certificate, and wherein the second signature is associated with a certificate issued by a certificate authority.
  - 21. The computer program product of claim 19, wherein the first package signature is associated with a first public signing key, and the second signature is associated with a second public signing key that is different than the first public signing key.
  - 22. The computer program product of claim 19, wherein the determining comprises:
    - determining a match between a first identifier generated from the migration signature of the received installation file and a second identifier generated from the first signature of the installed software application; and
      
      based on the determined match, determining that the update is valid and signed by at least the previous application publisher.
  - 23. The computer program product of claim 22, wherein the second signature and the first signature are associated with different public signing keys, and wherein the operations further comprise:
    - determining a match between the migration signature of the installation file and the first signature of the installed software application; and
      
      updating the installed software application utilizing the received installation file based on the determined match.
  - 24. The computer program product of claim 23, wherein determining the match is based on another match between a first identifier generated from the migration signature and a second identifier generated from the first signature of the installed software application.
  - 25. The computer program product of claim 19, wherein the software application is installed and updated in a cross-platform runtime environment.
  - 26. The computer program product of claim 19, wherein the received installation file is configured to:
    - associate the installed software application with the new application publisher instead of the previous application publisher.
  - 27. The computer program product of claim 19, wherein the received installation file is further configured to associate the software with the new application publisher, such that future updates to the updated software application must be signed by the first package signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Inc.
Inventors
Goldman, Oliver
Primary Examiner(s)
Vyas, Abhishek
Assistant Examiner(s)
Dega, Murali K

Application Number

US12/190,460
Publication Number

US 20140040873A1
Time in Patent Office

4,095 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/64   Protecting data integrity, ...

G06F 8/65   Updates security arrangemen...

H04L 2209/64   Self-signed certificates

H04L 2209/68   Special signature format, e...

H04L 9/3263   involving certificates, e.g...

Updating applications using migration signatures

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Updating applications using migration signatures

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links