I am looking for a safe way to determine if a Telerik report file was modified by us or replaced by a custom version our client made.
I was hoping to simply apply a code-signing certificate to the report file, but that does not appear to work.
The idea is that if someone were to modify the file, it would strip out our protection which we could then detect.
We do not want to prevent end users from modifying the report file to create their own report, but they would need to set it up as a custom report in our system.
This means that a simple password on the file would not work as the end user would need to know it to modify the report file and therefore could pretend that their modified version is ours.
I wish to eliminate the possibility of tech support calls due to issues with their customized file that we mistakenly believe is ours.
I look forward to hearing from you.
6 Answers, 1 is accepted
May I ask you to clarify what do you mean by 'report file'? Is it TRDP/TRDX report definition or exported document in some of the available formats?
If we are talking about signing the report definition, I'm afraid that we do not have out-of-the-box solution for this scenario.
However, we do support digital signature feature for PDF documents. In Design Considerations for PDF Rendering - Digital Signature section of the help article, we added information about signing a PDF document with provided path to a X.509 certificate in the device info settings.
As far as I know, users cannot create a new report file from a pdf.
I was specifically referring to the trdp and trdx files.
The protection I am referring to does not have to use a certificate, however, it would need to allow users to modify the file whereby the "protection" is removed from the trdp/trdx file when it is saved.
If you have no ability for this then I would like to request this as an enhancement.
Why not just use the last modified time for comparison then? Currently we do not have plans to extend the Standalone Designer functionality to contains, for example, a unique hash value. As this would mean for the Reporting tool to introduce additional users functionality for comparing if the file was modified and by who, which is outside its scope.
The workaround we can suggest is to store a hash value of the original definition as meta information using some hashing function (for example MD5 or SHA1). And if the hash value changes/deletes after serialization, then the report definition has been modified. Please take a look at this small demonstration of the approach - https://www.screencast.com/t/bPbkLeFQBgr.
Let us know if you have other questions.
The problem with using the last modified time or a hash value is that we would need to modify our code each time we modified our report file.
Signing a file in some fashion (not necessarily using a certificate) would allow us to use a consistent check mechanism for all our reports that would not need to be modified each time a report is modified.
My understanding the that trdp file is basically a zip file. A possible, but potentially unsafe workaround would be for us to inject something into that zip file that we could extract and read. The concern is 3 fold - Would adding this corrupt the trdp file, would it remain in the file when it is modified, and could someone else extract that item and inject it into their file. If we could password protect that item, then it should prevent the last issue, but that adds even more complexity to the check mechanism, and still leaves the other concerns.
One of the concerns here about doing this is that some higher ups would not like us to invest the time required to do anything other than a simple check that we create once and that does not require maintenance.
Enhancing Telerik reports to sign them with a certificate, a strong name, or something else I still feel would be a good idea in the long run, and is not something that I would expect Telerik to add immediately.
Should I submit an enhancement request in another manner, and if so, how?
Thank you for your time, Silviya.
I look forward to hearing your reply.
The TRDP file is indeed a zip archive containing the declarative report definition and other resources.
You may add additional resources/files to the TRDP archive and the Reporting engine will still be able to open them. Upon changing the report definition the TRDP file will be re-generated and the external content will be deleted. However, the TRDP file can be opened as zip from anyone and the content inside can be extracted or modified.
You may log a feature request in our feedback portal to introduce, for example password protection for the TRDP files, i.e. an option for password protecting the zip archive of the TRDP files. The implementation of our new features depends on the number of votes received from our users.
I will post a feature request.