ubuntu-appstore-developers team mailing list archive
-
ubuntu-appstore-developers team
-
Mailing list archive
-
Message #00083
Re: Embedded package signatures vs. transport level security
On Wed, Jun 12, 2013 at 6:24 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
>
> To be clear, in scenario 'a', the developer uploads a deb to the
> appstore server with an embedded signed digest file that the server can
> verify on upload as signed by the developer. At some later point, the
> appstore server creates a signed hash of the deb such that in secure
> mode the user's client device when installing the software will download
> the signed hash and the deb and verify the appstore signature on the
> hash and compare the hash to the downloaded deb. Is this correct?
FWIW, for 13.10 the server won't have any capabilities to look at the
binaries uploaded, so we won't be auto-verifying anything.
Whether we do for 14.04 depends on the complexity of the verification,
what we need to store to verify, etc.
--
Martin
Follow ups
References