Authorize fins:// link installation
Starting with HERE Core RVM 20, you can request that your application be cryptographically authorized to install via fins:// links on desktops where the desktop owner has opted into Trusted App Config (TAC) enforcement for protocol-link installation.
This feature works by adding a trustedAppConfigs object to your application manifest. You provide your manifest URL(s) to HERE, and HERE provides you with a signed trustedAppConfigs definition that grants the enableFinsProtocolInstallation feature for those URLs. For a more detailed explanation of TACs, see Trusted application configurations.
When this feature is needed
The desktop owner controls fins:// link installation with two Desktop Owner Settings (see General settings):
-
desktopSettings.enableFinsProtocolInstallation(defaulttrue) — a kill switch that blocks all new installs viafin://orfins://links when set tofalse. Already-installed apps continue to launch normally. -
desktopSettings.requireTacForFinsProtocolInstallation(defaultfalse) — when set totrue, newfins://installs require anenableFinsProtocolInstallationTAC grant on the manifest.fin://installs are blocked entirely while this setting is on, because afin://URL cannot be cryptographically verified over plain HTTP.
If a desktop owner sets requireTacForFinsProtocolInstallation to true and your application does not carry an enableFinsProtocolInstallation TAC grant, end users on that desktop see an "Unable to open app" dialog when they click a fins:// link that would install your app.
Request this feature ahead of time so that your fins:// install links keep working when customers enable TAC enforcement.
How it works
-
You provide the following information to HERE:
-
A list of manifest URLs (or match patterns) that identify the applications you want authorized for
fins://installation. -
A request that those URLs be granted the
enableFinsProtocolInstallationTAC feature.
-
-
HERE provides you with a
trustedAppConfigsproperty definition, which contains an embedded digital certificate, includes platform-specific signatures, and grants the requested feature for the requested URLs. -
You include this
trustedAppConfigsverbatim in your application manifest. -
When an end user clicks a
fins://link that targets your manifest URL on a desktop withrequireTacForFinsProtocolInstallationset totrue, the HERE Core RVM does the following:-
Verifies the
trustedAppConfigssignature. -
Checks that the manifest URL matches the URLs/match patterns granted in your
trustedAppConfigs. -
Confirms that the granted features include
enableFinsProtocolInstallation. -
If all three checks pass, allows the new installation to proceed.
-
Already-installed apps re-launch successfully regardless of this gate — only new installations are subject to the check.
If you authorize multiple applications, the configuration information for all of them is encoded in a single value property. Use the same trustedAppConfigs definition in each of the application manifests.
How to do it
The trustedAppConfigs definition as provided by HERE has the structure shown in the following example. You add this object as a top-level property of the application manifest:
"trustedAppConfigs": {
"value": "BASE64-ENCODING-OF-CONFIGURATION",
"signature": {
"win": "BASE64-ENCODED-SIGNATURE-FOR-WINDOWS",
"mac": "BASE64-ENCODED-SIGNATURE-FOR-MACOS"
}
}
The encoded value declares the enableFinsProtocolInstallation feature for the manifest URLs you requested. If you already use a trustedAppConfigs definition for other TAC features (such as licensed media codecs or extension server URLs), HERE issues a single, combined definition that covers all your requested features.
Limitations
-
Internet access is required to validate certificates; there is no option for fully offline mode.
-
fin://(HTTP) installations cannot be TAC-authorized, because the manifest cannot be cryptographically verified over a plain HTTP connection. Migrate tofins://over HTTPS for any application you want to remain installable when a desktop owner enablesrequireTacForFinsProtocolInstallation.