"New Version" notifications in MultiBit

jim618

legendary

Activity: 1708

Merit: 1069

Quote from: Mike Hearn on March 20, 2013, 12:27:28 PM

You could, if you wanted, manually provide the SSL cert at the Java level. But I'd be tempted to just lose the SSL entirely and rely on ECDSA signatures.

This is the better approach - I know XChange have the same cert problem with some of their users on Android and it is not that clean to fix (you have to get a new cert into the cert store).

Mike Hearn

legendary

Activity: 1526

Merit: 1134

Probably Java just uses the operating systems certificate store. I guess StartSSL isn't a well accepted CA Sad

You could get a cert from somewhere else (not free).

You could, if you wanted, manually provide the SSL cert at the Java level. But I'd be tempted to just lose the SSL entirely and rely on ECDSA signatures.

HostFat

staff

Activity: 4270

Merit: 1209

I support freedom of choice

Quote from: jim618 on March 20, 2013, 03:39:41 AM

Some older copies of Java (1.6) don't have the certificate authorities to deal with SSL very well.
If you type :

java -version

Code:

C:\Users\xxxxxxxxxxx>java -version
java version "1.7.0_17"
Java(TM) SE Runtime Environment (build 1.7.0_17-b02)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)

Mike Hearn

legendary

Activity: 1526

Merit: 1134

Sounds good! I hope we can get bcj 0.8 out soon.

jim618

legendary

Activity: 1708

Merit: 1069

Yes my preferred option is to add ECDSA signatures to the file as:
+ you can several/ threshold
+ safe to deliver by http and mirror

I wanted to get what I had out as it is a start.

The help in multiBit is over http because of the https problems with earlier JVMs.

I thought for the bundled JVM I would do the checkpoints and upgrade to SPVStore first (as then the download size would decrease significantly) and then bundle in a JRE (which would put it back up !).

Then the user would not have to bother installing Java.

Mike Hearn

legendary

Activity: 1526

Merit: 1134

You could also just include a Bitcoin style signature. If you have a hard dependency on Java version it makes sense to ship the JVM with the app. The Java7 SDK has a tool that creates Windows/Mac installers that bundle the JRE with them.

jim618

legendary

Activity: 1708

Merit: 1069

Some older copies of Java (1.6) don't have the certificate authorities to deal with SSL very well.
If you type :

java -version

In a terminal I suspect you will see something with a '1.6' in.
If you update your copy of Java it should disappear.

I have to get the file using HTTPS to stop a man in the middle attack.

HostFat

staff

Activity: 4270

Merit: 1209

I support freedom of choice

v0.4.23

Code:

Synchronising with network...
Unable to load "https://multibit.org/version.txt". The error was "javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".
Synchronising with network, 28 block(s) to download. Block date : "Mar 19, 2013".

jim618

legendary

Activity: 1708

Merit: 1069

As a balance between informing and annoying the user I show the 'new version' message a set number of times (currently twice).
To make sure the user can see the message if they need to, it is now always logged to the Messages tab, see below:

Code:

Opening wallet "/Users/jim/Library/Application Support/MultiBit/multibit.wallet"...
... done.
Opening wallet "/Users/jim/real money/pettyCash2.wallet"...
... done.
Opening wallet "/Users/jim/real money/unencrypted.wallet"...
... done.
Synchronised with network.
----------------------------------------------------------------
There is a new version "0.4.27" of MultiBit available.
Your current version is "0.4.23".
 
Lorem ipsum dolor sit amet, consectetur adipisicing elit, 
sed do eiusmod tempor incididunt ut labore et dolore 
magna aliqua. Ut enim ad minim veniam, quis nostrud 
exercitation ullamco laboris nisi ut aliquip ex ea 
commodo consequat. Duis aute irure dolor in reprehenderit 
in voluptate velit esse cillum dolore eu fugiat nulla pariatur. 
Excepteur sint occaecat cupidatat non proident, sunt in culpa 
qui officia deserunt mollit anim id est laborum.
----------------------------------------------------------------
Synchronised with network.

jim618

legendary

Activity: 1708

Merit: 1069

Updated version alert with bespoke lines from the server version.txt file:

jim618

legendary

Activity: 1708

Merit: 1069

Good idea.
The dialog is localised so I'll keep the two lines shown for maximum comprehension.

I'll add in an extra few lines for explanatory text (which will just appear in English) that can come from the version.txt file on the server. This won't be signed yet but it is delivered by HTTPS and you need to be root on multibit.org to change it.

Mike Hearn

legendary

Activity: 1526

Merit: 1134

Awesome! Could you make the message that appears customizable by you too? Otherwise if there are frequent updates people will "tune out" and you won't be able to urge them to upgrade when a security or other critical bug is found.

HostFat

staff

Activity: 4270

Merit: 1209

I support freedom of choice

Good!

jim618

legendary

Activity: 1708

Merit: 1069

I have added a little notification when you start up MultiBit for when there is a new version available on the multibit.org website.
Screenshot:

(the version numbers are ficticious - just testing it!)

You can click on the 'View release' button and it will open your browser to:
https://multibit.org/releases.html

On that page you can see what's in the release and there are the usual download links.
It is just in test at the moment but I will put it in the live code for the next release.

Topic: "New Version" notifications in MultiBit (Read 1893 times)