chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,176 @@
|
||||
# UniGetUI Auto-Update Testing Guide (ProductInfo-only path)
|
||||
|
||||
This guide validates the ProductInfo-only auto-update flow that reads from `productinfo.json`.
|
||||
|
||||
UniGetUI no longer falls back to the legacy updater logic. If the ProductInfo lookup fails, the update check fails.
|
||||
|
||||
## Files used
|
||||
|
||||
- `testing/productinfo.unigetui.test.json`
|
||||
- Test artifacts expected by that file:
|
||||
- `UniGetUI.Installer.x64.exe`
|
||||
- `UniGetUI.Installer.arm64.exe`
|
||||
- `UniGetUI.x64.zip`
|
||||
- `UniGetUI.arm64.zip`
|
||||
|
||||
## What is being tested
|
||||
|
||||
- Default updater source is ProductInfo-based.
|
||||
- Product key lookup for `Devolutions.UniGetUI`.
|
||||
- Architecture-aware installer selection (`x64`/`arm64`, `exe` preferred).
|
||||
- Hash validation (enabled by default).
|
||||
- Debug-only override behavior via registry keys under `HKLM\Software\Devolutions\UniGetUI`.
|
||||
|
||||
## Release vs Debug behavior
|
||||
|
||||
- Release builds honor only `UpdaterProductInfoUrl` from `HKLM\Software\Devolutions\UniGetUI`.
|
||||
- Release builds ignore `UpdaterProductKey` and all validation-bypass flags.
|
||||
- Debug builds can read updater overrides from `HKLM\Software\Devolutions\UniGetUI` for local testing.
|
||||
- Dangerous validation bypasses are for Debug/dev testing only:
|
||||
- `UpdaterAllowUnsafeUrls`
|
||||
- `UpdaterSkipHashValidation`
|
||||
- `UpdaterSkipSignerThumbprintCheck`
|
||||
- `UpdaterDisableTlsValidation`
|
||||
|
||||
## 1) Host the test files locally
|
||||
|
||||
From repository root:
|
||||
|
||||
```powershell
|
||||
Push-Location testing
|
||||
python -m http.server 8080
|
||||
Pop-Location
|
||||
```
|
||||
|
||||
Make sure these URLs are reachable:
|
||||
|
||||
- `http://127.0.0.1:8080/productinfo.unigetui.test.json`
|
||||
- `http://127.0.0.1:8080/UniGetUI.Installer.x64.exe`
|
||||
- `http://127.0.0.1:8080/UniGetUI.Installer.arm64.exe`
|
||||
|
||||
## 2) Configure updater overrides (test mode)
|
||||
|
||||
These steps apply to a Debug build only.
|
||||
|
||||
Run in PowerShell:
|
||||
|
||||
```powershell
|
||||
$regPath = 'HKLM:\Software\Devolutions\UniGetUI'
|
||||
New-Item -Path $regPath -Force | Out-Null
|
||||
|
||||
# Point updater to local productinfo
|
||||
Set-ItemProperty -Path $regPath -Name 'UpdaterProductInfoUrl' -Value 'http://127.0.0.1:8080/productinfo.unigetui.test.json'
|
||||
|
||||
# Product key inside productinfo JSON
|
||||
Set-ItemProperty -Path $regPath -Name 'UpdaterProductKey' -Value 'Devolutions.UniGetUI'
|
||||
|
||||
# Allow local http URL and local domain for package downloads
|
||||
Set-ItemProperty -Path $regPath -Name 'UpdaterAllowUnsafeUrls' -Type DWord -Value 1
|
||||
|
||||
# Keep hash validation enabled for normal test pass
|
||||
Set-ItemProperty -Path $regPath -Name 'UpdaterSkipHashValidation' -Type DWord -Value 0
|
||||
|
||||
# Keep signer thumbprint validation enabled for normal test pass
|
||||
Set-ItemProperty -Path $regPath -Name 'UpdaterSkipSignerThumbprintCheck' -Type DWord -Value 0
|
||||
|
||||
# Optional only for HTTPS cert troubleshooting in test environments
|
||||
Set-ItemProperty -Path $regPath -Name 'UpdaterDisableTlsValidation' -Type DWord -Value 0
|
||||
```
|
||||
|
||||
## 3) Trigger update check in UniGetUI
|
||||
|
||||
1. Launch UniGetUI.
|
||||
2. Go to **Settings → General**.
|
||||
3. Click **Check for updates**.
|
||||
|
||||
Expected result:
|
||||
|
||||
- Updater reads the local `productinfo.unigetui.test.json`.
|
||||
- It picks the correct architecture `exe` installer.
|
||||
- Download starts and hash is validated.
|
||||
- Update banner/toast appears when update is ready.
|
||||
|
||||
## 4) Negative test: hash mismatch protection
|
||||
|
||||
Use one of these methods:
|
||||
|
||||
- Replace installer file content but keep original hash in JSON, or
|
||||
- Edit hash in JSON to an incorrect value.
|
||||
|
||||
Expected result:
|
||||
|
||||
- Hash validation fails.
|
||||
- Update is aborted with installer authenticity error.
|
||||
|
||||
## 5) Negative test: block unsafe URLs
|
||||
|
||||
Set:
|
||||
|
||||
```powershell
|
||||
Set-ItemProperty -Path 'HKLM:\Software\Devolutions\UniGetUI' -Name 'UpdaterAllowUnsafeUrls' -Type DWord -Value 0
|
||||
```
|
||||
|
||||
Expected result with local `http://127.0.0.1` URLs:
|
||||
|
||||
- Updater rejects source/download URL as unsafe.
|
||||
- No installer launch.
|
||||
|
||||
## 6) Negative test: broken ProductInfo source
|
||||
|
||||
Use one of these methods:
|
||||
|
||||
- Point `UpdaterProductInfoUrl` to a missing URL, or
|
||||
- Point `UpdaterProductInfoUrl` to a malformed JSON file, or
|
||||
- In a Debug build only, point `UpdaterProductKey` to a non-existent product.
|
||||
|
||||
Example:
|
||||
|
||||
```powershell
|
||||
Set-ItemProperty -Path 'HKLM:\Software\Devolutions\UniGetUI' -Name 'UpdaterProductInfoUrl' -Value 'http://127.0.0.1:8080/does-not-exist.json'
|
||||
```
|
||||
|
||||
Expected result:
|
||||
|
||||
- Productinfo check fails.
|
||||
- UniGetUI reports the update-check failure.
|
||||
- No fallback source is used.
|
||||
|
||||
## 7) Optional: disable signer thumbprint check (test-only)
|
||||
|
||||
Use this only if your local installer is unsigned or signed with a non-Devolutions certificate.
|
||||
|
||||
```powershell
|
||||
Set-ItemProperty -Path 'HKLM:\Software\Devolutions\UniGetUI' -Name 'UpdaterSkipSignerThumbprintCheck' -Type DWord -Value 1
|
||||
```
|
||||
|
||||
## 8) Release-build hardening check
|
||||
|
||||
Run the same registry override setup against a Release build.
|
||||
|
||||
Expected result:
|
||||
|
||||
- Release build honors `UpdaterProductInfoUrl` only if it still passes normal source validation.
|
||||
- Release build ignores `UpdaterProductKey`.
|
||||
- Release build ignores validation bypass flags.
|
||||
- Updater uses the configured ProductInfo URL and the built-in `Devolutions.UniGetUI` product key.
|
||||
|
||||
## 9) Cleanup after testing
|
||||
|
||||
Reset to default production behavior:
|
||||
|
||||
```powershell
|
||||
$regPath = 'HKLM:\Software\Devolutions\UniGetUI'
|
||||
Remove-ItemProperty -Path $regPath -Name 'UpdaterProductInfoUrl' -ErrorAction SilentlyContinue
|
||||
Remove-ItemProperty -Path $regPath -Name 'UpdaterProductKey' -ErrorAction SilentlyContinue
|
||||
Remove-ItemProperty -Path $regPath -Name 'UpdaterAllowUnsafeUrls' -ErrorAction SilentlyContinue
|
||||
Remove-ItemProperty -Path $regPath -Name 'UpdaterSkipHashValidation' -ErrorAction SilentlyContinue
|
||||
Remove-ItemProperty -Path $regPath -Name 'UpdaterSkipSignerThumbprintCheck' -ErrorAction SilentlyContinue
|
||||
Remove-ItemProperty -Path $regPath -Name 'UpdaterDisableTlsValidation' -ErrorAction SilentlyContinue
|
||||
```
|
||||
|
||||
With all override values removed, UniGetUI uses:
|
||||
|
||||
- `https://devolutions.net/productinfo.json`
|
||||
- product key `Devolutions.UniGetUI`
|
||||
- safety checks enabled
|
||||
- hash validation enabled
|
||||
Reference in New Issue
Block a user