Auto updating YSoft SafeQ Client
YSoft SafeQ Client v3 (client application) can be auto updated by publishing the update package to YSoft SafeQ Job Service (Job Service). Job Service will instruct client application to update to the latest available version. The update instruction is sent when client announces its version to the Job Service, this happens on regular intervals. That means the update is triggered individually for every client, the update is not pushed to all clients at once. With the default settings the running client gets updated in up to four hours.
Once the client application downloads the installation package from the server, it will validate its signature and if the update package is valid, it will execute the updater executable which is specified in the manifest file. It is the responsibility of the updater process to stop client application processes, stop service YSoft SafeQ Spooler, migrate configurations and start services once the update has completed. Auto update will always keep the latest two versions in the "versions" directory and remove all older ones, this allows a manual revert to the previous version if necessary.
Update package for client is provided in the product installation packages alongside the standard installation packages for client and Job Service. The update package contains the latest version of both Windows and macOS versions, generated manifest with package signatures and the signing certificate used for signing the packages.
Updater process privileges
Updater process is executed under the same account YSoft SafeQ Spooler runs, typically a Local System. When YSoft SafeQ Spooler runs with elevated privileges so will the updater process. If you write your own script for client update, we take no any responsibility for any damage the custom scripts might cause.
An account used by YSoft SafeQ Spooler service must have sufficient privileges to run PowerShell script. Updater uses a PowerShell script to deploy a new version.
Update architecture support
The auto update is currently supported only on macOS and Windows x64 operating systems.
Configuring auto update
Required steps
Copy content of YSoft SafeQ Client v3 Update Packages <build>.zip to directory <JobService>\spooler-update
Edit <JobService>\configuration\local.json and add the following, make sure to fill in the right FilePath:
"SpoolerUpdateOptions"
: {
"PackageMonitoringInterval"
:
"00:10:00"
,
"PackageSigningCertificate"
: {
"FilePath"
:
"C:\\SafeQ6\\JobService\\spooler-update\\cert-2022.cer"
,
"Password"
:
""
}
}
.cer from FilePath needs to be trusted by the workstations.
To verify trust copy the file to the Windows workstation and double-click it.
Go to tab "Certification Path", "Certificate status" must show "This certificate is OK".
Configuration options explanation:
PackageMonitoringInterval
Interval at which the spooler-update folder will be scanned for new update package.
Format: DD:HH:MM
PackageSigningCertificate
Certificate that was used to sign the update packages. This is sent to client application with the update command, client application uses this to verify the update package (see below).
FilePath - Path to the TLS certificate (YSoft SafeQ Job Service prioritizes certificate in the store over certificate on file path)
Password - Password for the certificate on the path
Restart YSoft SafeQ Job Service
Wait for client applications to auto update
YSoft SAFEQ Client v3 - additional possible configuration
If needed, update mechanism can be re-configured in section SpoolerUpdateOptions inside <Spooler>\versions\latest\configuration\local.json.
Normally no changes on the client application side are necessary, the settings listed below reflect the default values that will be used also when SpoolerUpdateOptions is not defined at all.
Available configuration:
RequireValidSignature - Client will validate the signature of the package against the certificate from the server
RequireTrustedCertificate - Client will execute the update package only if the underlying operating system trusts the certificate
RequireMatchingCertificateFields - Client will execute the update package only if the certificate's subject contains required fields (see RequiredCommonNames and RequiredCountries)
RequiredCommonNames - Client will check whether the certificate contains all of these common names
RequiredCountries - Client will check whether the certificate contains all of these countries
"SpoolerUpdateOptions"
: {
"RequireValidSignature"
:
true
,
"RequireTrustedCertificate"
:
true
,
"RequireMatchingCertificateFields"
:
true
,
"RequiredCommonNames"
: [
"Y Soft Corporation, a.s."
],
"RequiredCountries"
: [
"CZ"
]
}
Security warning
Changing any of the above mentioned configuration values can introduce security issues.
How the Client v3 validates a new update package
JobService sends the information about update package based on manifest file
Client v3 downloads the update package
Client v3 checks if RequiredValidSignature option is true
Client v3 verifies if the certificate is trusted (based on RequireTrustedCertificate option)
Client v3 verifies certificate Common Name and Country (based on RequireMatchingCertificateFields option)
Client v3 verifies update package (based on packageSignature from manifest file and certificate)
Creating a customized update package
Update package requirements
The package must be a zip file
When creating a custom update package:
Make sure that once you extract it then the extracted folder will contain the YSoft.Spooler[.exe] executable in it and not another directory. The executable file has to be in root folder in the package. Name of this file should contain chars "a-zA-Z0-9.".
You should be aware that YSoft SafeQ Spooler might be updating across multiple versions (Spooler version 1 and the latest version is for example 4). That means (if it applies to you particular update package) that for example the latest package must contain configuration migrations for all intermediate versions.
The package must be singed and the signature must be included in the package manifest file. For more information see section Manifest file structure below.
How to publish update package
Update packages are published to a folder <JobService>\spooler-update.Once the update package is in that folder, it becomes available for clients.
Folder which contains update packages for YSoft SAFEQ Client v3 must have following structure
Spooler updates folder structure
JobService
└── spooler-update
├── YSoft.Spooler-osx.zip
├── YSoft.Spooler-win.zip
└── manifest.json
Manifest file structure
{
"version"
:
"[VERSION]"
,
"packages"
: [
{
"platform"
:
"macOS"
,
// Target platform
"executable"
:
"update.sh"
,
// File which will be executed by YSoft SafeQ Spooler
"packageFileName"
:
"YSoft.Spooler-osx.zip"
,
// Update package file name
"packageSignature"
:
"SH+TFBNaInOIO2wGtHECy9pqsQiSb="
// Base64 encoded package signature
},
{
"platform"
:
"Windows"
,
"executable"
:
"update.ps1"
,
"packageFileName"
:
"YSoft.Spooler-win.zip"
,
"packageSignature"
:
"SbVQfsr3N+vXQRQraR0ov2JDjI7A="
}
]
}
[VERSION] is the version of the update package (e.g. 9.9.9 - X.Y.Z). Names for the platform-specific compressed packages can be different however they have to be specified in the manifest file.
Example of custom update procedure
Following is an example of a procedure which an update script for YSoft SafeQ Client v3 must implement
Migrate configuration files (optional - there might not have been changes between versions)
Stop all YSoft SafeQ Client v3 related services (or processes)
YSoft SafeQ Spooler
YSoft SafeQ Client v3 (user facing application)
Change versions/latest symlink to target to your new version
Start all YSoft SafeQ Client v3 related services (or processes)
You can see how the folder structure of deployed YSoft SafeQ Client v3 looks like at Deployment of YSoft SafeQ Client v3.
Troubleshooting
Log files
The process of auto update can be reviewed in:
<Spooler>\versions\<build>\logs\spooler.log
<Spooler>\versions\<build>\update.log
<JobService>\logs\jobservice*.log
Testing auto update
To test the auto update process without having to wait several hours for it to complete:
Do not use this configuration on a production environment, it would cause performance issues.
Update <Spooler>\versions\latest\configuration\local.json as follows:
"StatusReportingOptions"
: {
"ReportingInterval"
:
"00:02:50"
,
"MaxJitter"
:
"00:00:10"
}
Restart YSoft SafeQ Spooler service
Client will report its version to the Job Service 10 seconds after the service restart and also in intervals 2 minutes 50 seconds (+-10 seconds). So the update will start in a few minutes.
The most common issues
Certificate for update package signature validation is not trusted by the operating system.
This ERR can be found in spooler.log on failing update. It means the certificate defined in FilePath is not trusted by the client workstation. If you are using .cer file from the YSoft SafeQ installation package:
Either disable group policy "Turn off Automatic Root Certificates Update" on the workstation.
Or Install DigiCertTrustedRootG4.crt to "Local machine" > "Trusted Root Certification Authorities" on the workstation.