Evaluating Defold: ZIP file and OpenSSL support?

thegdog · January 3, 2023, 11:08pm

Hello all, and Happy New Year!

Looking at possibly updating and rebuilding some older games written in CoronaSDK (now Solar2D) and checking to see if some of the features would carry over easily.

As part of the app, I have a button to download updated content files from a web site in the form of a ZIP file. The files included inside JSON files that have been encrypted using OpenSSL. The app then unzips the ZIP file and stores the encrypted JSON files in a local folder. On app start, the files are decrypted using the OpenSSL plugin and the JSON files are ready for use. They are then deleted on game close.

The purpose of this is to be able to update content without needing to release a new version in the app stores, as well as to keep the content from being easily “stolen”.

Does Defold have the ability to unzip files on devices? I didn’t see anything in the documentation and I didn’t see any plugins with the functionality. What about OpenSSL encryption/decryption? Or maybe an alternative way to handle this?

Thanks for any pointers you can provide as I evaluate Defold!

selimanac · January 4, 2023, 7:55am

thegdog · January 4, 2023, 9:04pm

Thanks @selimanac.
Appreciate this.

So if I read though this correctly, it actually allows for an auto-update of these assets, which is great.

The question of encrypting the assets, however, still isn’t clear. I think it is possible that the build process might be doing this automatically, and can be handled more securely through an extension as noted here:

What I just don’t know yet, and this is something I’d likely need to start building and understanding how all of that content I currently store in JSON files will get added to the app, is if it is a JSON file I add, does encryption happen on it? (Since that section only references the encryption of LUA files.)

britzl · January 5, 2023, 7:02am

You can easily download JSON files without using liveupdate. And the json files can be encrypted any way you want. If you instead wish to include the json files in the liveupdate content you first need to convert them to Lua modules.

thegdog · January 6, 2023, 12:39am

@britzl, could you point me to documentation/sample code where I can explore what encryption/decryption options there are for that use case? I searched the docs for references to OpenSSL, but all that comes back is the mention in liveupdate.

Although maybe this is overcomplicating things, and converting the JSON into a Lua module and using liveupdate is just the “easier” way to go.

In that case, is it just a matter of converting the JSON to a Lua table, and that module to put in liveupdate just contains the Lua table? Or am I misunderstanding?

selimanac · January 6, 2023, 8:35am

This is not something related to Defold and its up to you. You can use whatever algorithm you want on server side when you are encrypting your json and you should use your own decryption on Defold to decrypt your json file.

britzl · January 6, 2023, 9:56am

Correct. Pick an algorithm that you like and encrypt the json file. Then at runtime you decrypt the file. You need to either find a Lua implementation of the decryption algorithm (lua-lockbox has a ton of them) or use a native extension (perhaps use OpenSSL or write your own).

thegdog · January 6, 2023, 11:02am

Thanks for providing those links. Kind of surprising that Defold has its own OpenSSL implementation built in, but it isn’t available for developers to use.

Just wanted to get your thoughts on this as well. Was I understanding what you were suggesting correctly? If I wanted to just use liveupdate and the encryption built in for Lua modules, would this be the right direction to go?

Thanks so much.

thegdog · January 6, 2023, 11:03am

Thanks. I was expecting that since liveupdate used OpenSSL itself, that its inclusion in Defold would be accessible to developers as well, but it looks like that’s not the case.

britzl · January 6, 2023, 11:13am

We use Mbed-TLS internally, not OpenSSL. We could expose more functions from Mbed-TLS in our extension SDK, probably through dmCrypt and extension-crypt. But we never expose everything at once because it makes it harder for use to change things without breaking stuff for our users and it results in more things for us to maintain. Instead we expose functionality based on developer needs. So the question is, what do you need specifically from OpenSSL?

Correct. Then the Lua module would go through our build pipeline and get compiled to bytecode and encrypted using the default or a custom encryption scheme.

thegdog · January 6, 2023, 11:26am

Makes sense.

Because I used CoronaSDK (now Solar2D) to develop my games previously, including JSON files in them would leave those viewable as text files which would make it very easy for someone to be able to lift all of the textual content, which is really the heart of the game. So I was encrypting those files (and decrypting within the game) to keep them from being easily stolen. That was really it.

britzl · January 6, 2023, 11:34am

Side-note: I notice now that our API reference for dmCrypt is missing dmCrypt::Encrypt() and dmCrypt::Decrypt():

They are part of the dmCrypt public SDK: https://github.com/defold/defold/blob/dev/engine/dlib/src/dmsdk/dlib/crypt.h#L56-L74

These functions are used by out resource encryption plugin for instance: https://github.com/defold/extension-resource-encryption/blob/master/resourceencryption/src/plugin.cpp#L11

We could in the future provide more algorithms here and make this into a generic encryption and decryption API.

britzl · January 6, 2023, 11:36am

I’ve updated the API docs: Added missing public dmCrypt APIs · defold/defold@d4dc10c · GitHub