Auto updating YSoft SafeQ Client

YSoft SafeQ Client v3 (client application) can be auto updated by publishing the update package to YSoft SafeQ Job Service (Job Service). Job Service will instruct client application to update to the latest available version. The update instruction is sent when client announces its version to the Job Service, this happens on regular intervals. That means the update is triggered individually for every client, the update is not pushed to all clients at once. With the default settings the running client gets updated in up to four hours.

Once the client application downloads the installation package from the server, it will validate its signature and if the update package is valid, it will execute the updater executable which is specified in the manifest file. It is the responsibility of the updater process to stop client application processes, stop service YSoft SafeQ Spooler, migrate configurations and start services once the update has completed. Auto update will always keep the latest two versions in the "versions" directory and remove all older ones, this allows a manual revert to the previous version if necessary.

Update package for client is provided in the product installation packages alongside the standard installation packages for client and Job Service. The update package contains the latest version of both Windows and macOS versions, generated manifest with package signatures and the signing certificate used for signing the packages.

Updater process privileges

  • Updater process is executed under the same account YSoft SafeQ Spooler runs, typically a Local System. When YSoft SafeQ Spooler runs with elevated privileges so will the updater process. If you write your own script for client update, we take no any responsibility for any damage the custom scripts might cause.

  • An account used by YSoft SafeQ Spooler service must have sufficient privileges to run PowerShell script. Updater uses a PowerShell script to deploy a new version.

Update architecture support

The auto update is currently supported only on macOS and Windows x64 operating systems.

Configuring auto update

Required steps

  1. Copy content of YSoft SafeQ Client v3 Update Packages <build>.zip to directory <JobService>\spooler-update

  2. Edit <JobService>\configuration\local.json and add the following, make sure to fill in the right FilePath:

    "SpoolerUpdateOptions": {
    "PackageMonitoringInterval": "00:10:00",
    "PackageSigningCertificate": {
    "FilePath":"C:\\SafeQ6\\JobService\\spooler-update\\cert-2022.cer",
    "Password":""
    }
    }

    • .cer from FilePath needs to be trusted by the workstations.

      • To verify trust copy the file to the Windows workstation and double-click it.

      • Go to tab "Certification Path", "Certificate status" must show "This certificate is OK".

    • Configuration options explanation:

      • PackageMonitoringInterval

        • Interval at which the spooler-update folder will be scanned for new update package.

        • Format: DD:HH:MM

      • PackageSigningCertificate

        • Certificate that was used to sign the update packages. This is sent to client application with the update command, client application uses this to verify the update package (see below).

        • FilePath - Path to the TLS certificate (YSoft SafeQ Job Service prioritizes certificate in the store over certificate on file path)

        • Password - Password for the certificate on the path

  3. Restart YSoft SafeQ Job Service

  4. Wait for client applications to auto update

YSoft SAFEQ Client v3 - additional possible configuration

If needed, update mechanism can be re-configured in section SpoolerUpdateOptions inside <Spooler>\versions\latest\configuration\local.json.

Normally no changes on the client application side are necessary, the settings listed below reflect the default values that will be used also when SpoolerUpdateOptions is not defined at all.

Available configuration:

  • RequireValidSignature - Client will validate the signature of the package against the certificate from the server

  • RequireTrustedCertificate - Client will execute the update package only if the underlying operating system trusts the certificate

  • RequireMatchingCertificateFields - Client will execute the update package only if the certificate's subject contains required fields (see RequiredCommonNames and RequiredCountries)

  • RequiredCommonNames - Client will check whether the certificate contains all of these common names

  • RequiredCountries - Client will check whether the certificate contains all of these countries


Example of configuration with default values
"SpoolerUpdateOptions": {
"RequireValidSignature": true,
"RequireTrustedCertificate": true,
"RequireMatchingCertificateFields": true,
"RequiredCommonNames": [ "Y Soft Corporation, a.s." ],
"RequiredCountries": [ "CZ" ]
}

Security warning

Changing any of the above mentioned configuration values can introduce security issues.

How the Client v3 validates a new update package

  1. JobService sends the information about update package based on manifest file

  2. Client v3 downloads the update package

  3. Client v3 checks if RequiredValidSignature option is true

    1. Client v3 verifies if the certificate is trusted (based on RequireTrustedCertificate option)

    2. Client v3 verifies certificate Common Name and Country (based on RequireMatchingCertificateFields option)

    3. Client v3 verifies update package (based on packageSignature from manifest file and certificate)

Creating a customized update package

Update package requirements

  • The package must be a zip file

  • When creating a custom update package:

    • Make sure that once you extract it then the extracted folder will contain the YSoft.Spooler[.exe] executable in it and not another directory. The executable file has to be in root folder in the package. Name of this file should contain chars "a-zA-Z0-9.".

    • You should be aware that YSoft SafeQ Spooler might be updating across multiple versions (Spooler version 1 and the latest version is for example 4). That means (if it applies to you particular update package) that for example the latest package must contain configuration migrations for all intermediate versions.

  • The package must be singed and the signature must be included in the package manifest file. For more information see section Manifest file structure below.

How to publish update package

Update packages are published to a folder <JobService>\spooler-update.Once the update package is in that folder, it becomes available for clients.

Folder which contains update packages for YSoft SAFEQ Client v3 must have following structure

Spooler updates folder structure

Spooler updates folder structure
JobService
└── spooler-update
├── YSoft.Spooler-osx.zip
├── YSoft.Spooler-win.zip
└── manifest.json

Manifest file structure

Manifest file structure
{
"version": "[VERSION]",
"packages": [
{
"platform": "macOS", // Target platform
"executable": "update.sh", // File which will be executed by YSoft SafeQ Spooler
"packageFileName": "YSoft.Spooler-osx.zip", // Update package file name
"packageSignature": "SH+TFBNaInOIO2wGtHECy9pqsQiSb=" // Base64 encoded package signature
},
{
"platform": "Windows",
"executable": "update.ps1",
"packageFileName": "YSoft.Spooler-win.zip",
"packageSignature": "SbVQfsr3N+vXQRQraR0ov2JDjI7A="
}
]
}


[VERSION] is the version of the update package (e.g. 9.9.9 - X.Y.Z). Names for the platform-specific compressed packages can be different however they have to be specified in the manifest file.

Example of custom update procedure

Following is an example of a procedure which an update script for YSoft SafeQ Client v3 must implement

  1. Migrate configuration files (optional - there might not have been changes between versions)

  2. Stop all YSoft SafeQ Client v3 related services (or processes)

    1. YSoft SafeQ Spooler

    2. YSoft SafeQ Client v3 (user facing application)

  3. Change versions/latest symlink to target to your new version

  4. Start all YSoft SafeQ Client v3 related services (or processes)

You can see how the folder structure of deployed YSoft SafeQ Client v3 looks like at Deployment of YSoft SafeQ Client v3.

Troubleshooting

Log files

The process of auto update can be reviewed in:

  • <Spooler>\versions\<build>\logs\spooler.log

  • <Spooler>\versions\<build>\update.log

  • <JobService>\logs\jobservice*.log

Testing auto update

To test the auto update process without having to wait several hours for it to complete:

Do not use this configuration on a production environment, it would cause performance issues.

  • Update <Spooler>\versions\latest\configuration\local.json as follows:

    "StatusReportingOptions": {
       "ReportingInterval":"00:02:50",
       "MaxJitter": "00:00:10"
    }

  • Restart YSoft SafeQ Spooler service

Client will report its version to the Job Service 10 seconds after the service restart and also in intervals 2 minutes 50 seconds (+-10 seconds). So the update will start in a few minutes.

The most common issues

Certificate for update package signature validation is not trusted by the operating system.

  • This ERR can be found in spooler.log on failing update. It means the certificate defined in FilePath is not trusted by the client workstation. If you are using .cer file from the YSoft SafeQ installation package:

    • Either disable group policy "Turn off Automatic Root Certificates Update" on the workstation.

    • Or Install DigiCertTrustedRootG4.crt to "Local machine" > "Trusted Root Certification Authorities" on the workstation.