Agent Auto Update Technical Overview

Feature Overview

Our agent installations have the capability to perform automatic updates, ensuring that your deployed agent software remains current with minimal user involvement.

Each platform utilizes distinct mechanisms for auto-updates:

Linux

On Linux platforms, updates are managed through the standard package manager corresponding to the specific distribution (e.g., yum or apt). The repository is signed, and updates are scheduled via a cron job. This is the same process an administrator would use to update the software directly via the package manager.

Android

For Android devices, updates are facilitated through the Google Play Store using standard Android update procedures.

Windows & macOS

On Windows and macOS, agent updates are conducted through an internal mechanism.

Please note that the agents do not currently support installation or updates via the Windows Store or macOS App Store.

Update Schedule

Our updates are securely hosted online within a 7SIGNAL repository, accessible at https://downloads.7signal.com. This repository contains both the update packages and a manifest file. The manifest file is checked hourly by the update scheduler and includes information such as the latest version, package location, SHA1 hash, and a minimum version requirement.

When the agent identifies a newer version and confirms that the current version meets the minimum requirement, the update process initiates automatically.

Update Package Verification

Upon identifying an update candidate, the package is downloaded. Following the completion of the download, the package's SHA1 hash is cross verified with the hash specified in the manifest. If a mismatch is detected, the download will be retried during the next scheduled attempt. It's important to note that the SHA1 hash serves to verify the proper transmission of the package and does not ensure security. Package legitimacy is confirmed through package signatures.

Each package is signed using the standard platform code signature mechanism. To ensure a package's authenticity as a valid 7SIGNAL publication, it undergoes validation by the operating system and is cross-referenced with a known 7SIGNAL certificate. The operating system is responsible for internal validation, after which the certificate's thumbprint is matched against an internal 7SIGNAL certificate thumbprint list. This list is embedded within the software and can only be updated through a previously verified update package. To be considered valid, the package must signed with both a valid certificate and a known 7SIGNAL certificate.

Installation Procedure

Following the download and verification process, the package is installed using the respective Windows or macOS installer mechanism. This update package is identical to the one used for manual software installation (msi or pkg). The package is given to the system installer process, which subsequently updates the software. The installation process will stop the agent, performs the upgrade, and then restarts the agent to complete the procedure.