ubuntu-appstore-developers team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 13-06-05 11:39 AM, Loïc Minier wrote:
<snip>

> Concerning the signed package approach, here are a couple of
> implementations that would make it possible to sign the manifest and all
> the package contents:
> a. dpkg-sig[2]; I believe this generates an index called "digests" of the
>    components of the ar file with corresponding SHA1 and MD5 hashes,
>    then adds a GPG signature of that file as digests.asc to the
>    archive
> 
> b. GPG signing the .deb directly
> 

I took a quick look at dpkg-sig. Embedding a signature in the .deb by
adding an extra file is novel.

dpkg-sig itself only handles SHA1 and MD5 though, which we would need to
update to something better, and it seems to be unmaintained.

I think we should probably add this functionality directly to our click
packages generation tool, possibly using the same approach as dpkg-sig,
but with a better hashing algorithm, such as SHA512.

Marc.