Skip to main content

Annex I, Part II, Req 7: Secure Distribution of Software Updates

Delivering security updates to your users is critical, but the delivery mechanism itself must be secure. The EU Cyber Resilience Act (CRA) mandates that manufacturers "provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner" (Annex I, Part II, Point 7).

Why Secure Distribution Matters

If your update mechanism can be compromised, attackers could:

  • Distribute malware disguised as a legitimate update.
  • Prevent users from receiving actual security patches.
  • Downgrade users to older, vulnerable versions of your software.

Key Aspects of Secure Update Distribution

  1. Authenticity of Updates: Users must be able to verify that the update genuinely comes from you, the legitimate manufacturer.
    • Code Signing: Digitally sign your update packages. Operating systems and app stores often use this to verify the source and integrity of software.
  2. Integrity of Updates: Users must be able to verify that the update hasn't been tampered with during download or transit.
    • Digital signatures also help ensure integrity.
    • Using HTTPS for update downloads protects against man-in-the-middle modification during transit.
  3. Confidentiality (Where Necessary): While the update package itself might be public, the process of checking for updates or transmitting user-specific information related to updates should be secure.
  4. Resilience of the Update Mechanism: The system that delivers updates should be robust against attacks that try to disrupt it.

"Automatic Manner" for Security Updates

The CRA also reiterates the point from Annex I, Part I, Point 2c about security updates being delivered automatically where applicable. The mechanism delivering these automatic updates must, therefore, be secure.

For Different Software Types

  • Mobile Apps: Often handled through app stores, which have their own security checks for updates. However, you're still responsible for signing your app correctly.
  • Web Apps/PWAs: Updates are typically deployed server-side; secure deployment practices and HTTPS are key.
  • Desktop Apps: If you have a built-in updater, it must securely fetch, verify, and install updates.

Key Takeway

Annex I, Part II, Point 7 of the CRA requires that the way you deliver updates for your software is secure. This means ensuring the authenticity and integrity of updates, often through digital signatures and secure transport protocols like HTTPS, to prevent malicious interference.