Skip to content

Add shared key support for private AzureBlobStorage#836

Open
FynnSchapdick wants to merge 4 commits intovelopack:developfrom
FynnSchapdick:add-private-azureblobstorage
Open

Add shared key support for private AzureBlobStorage#836
FynnSchapdick wants to merge 4 commits intovelopack:developfrom
FynnSchapdick:add-private-azureblobstorage

Conversation

@FynnSchapdick
Copy link
Copy Markdown

@FynnSchapdick FynnSchapdick commented Mar 20, 2026

✨ Add Azure Blob Storage update source with Shared Key authentication

Summary

This PR introduces a new AzureBlobStorageSource implementation of IUpdateSource to enable retrieving Velopack updates from Azure Blob Storage containers secured via Shared Key authentication.

Motivation

The existing SimpleWebSource works well for publicly accessible endpoints, but does not support authenticated sources.

Azure Blob Storage is a common deployment target for update packages, and many setups require authenticated access (e.g. private containers). This change enables Velopack to securely fetch updates directly from Azure Storage without requiring SAS URLs or public exposure.

What’s included

  • New AzureBlobStorageSource implementation

  • Support for:

    • Authenticated GET requests using Shared Key
    • Downloading RELEASES feed
    • Downloading package files

  • Automatic signing of requests based on:

    • x-ms-date
    • x-ms-version
    • Canonicalized headers + resource

Implementation details

Notes / Limitations

  • Currently supports GET requests only (sufficient for update scenarios)
  • Assumes standard Blob endpoint structure
  • Header canonicalization is minimal (only required headers are included)

Future improvements (optional)

  • Support for SAS tokens as alternative auth method
  • Support for additional HTTP methods if needed
  • More robust canonicalization for edge cases

Usage example

var source = new AzureBlobStorageSource(
    baseUri: "https://myaccount.blob.core.windows.net",
    accountName: "myaccount",
    containerName: "updates",
    accountKey: "<account-key>"
);

@FynnSchapdick
Copy link
Copy Markdown
Author

FynnSchapdick commented Mar 24, 2026

Hi 👋

Just a gentle reminder regarding this PR.
I understand you might be busy, but I’d really appreciate your feedback whenever you get the chance. Let me know if any changes are needed on my side. Thanks!

@caesay
Copy link
Copy Markdown
Member

caesay commented Mar 24, 2026

Thanks for taking the time to create this PR, contributions are always appreciated.

I hadn't responded because I am still contemplating whether or not this is something I would accept and maintain. There's several parts of the code (BuildStringToSign, BuildCanonicalizedResource) which feel odd and brittle, my gut feeling is this can be simplified or reorganized to be more robust.

From what I can tell, this could have been achieved by creating a custom IFileDownloader (possibly just deriving from HttpClientFileDownloader) rather than duplicating the logic in SimpleWebSource. We also have other languages (rust, c++, etc) for which we are trying to reach feature parity. There's also no tests, and improving test coverage/confidence is another goal of ours at the moment.

If I'm thinking out loud, possibly the long term way to support sources like these is to have separate NuGet/other-lang packages (think a "Velopack.Sources.AzureStorage" package) that pull in official dependencies like the Azure Storage SDK. It's a bit of a hassle to maintain those packages but it would require us to understand, maintain and test less knowledge of those platforms.

Given all of this, I've not yet decided if I want to move this forward, so I appreciate your patience. Since you are already able to use your custom source in your own application, I'm confident that there's no urgency here.

P.S. no need to keep merging develop into your branch. There are no conflicts (if there were, you'd have seen so in the GitHub UI). If you do want to update your branch I'd prefer you rebase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FynnSchapdick @caesay