← Back to team overview

ubuntu-appstore-developers team mailing list archive

Re: Embedded package signatures vs. transport level security

 

On 13-06-12 05:24 PM, Jamie Strandboge wrote:
> On 06/12/2013 02:11 PM, Marc Deslauriers wrote:
>> On 13-06-05 11:39 AM, Loïc Minier wrote:
>> <snip>
>>
>>> Concerning the signed package approach, here are a couple of
>>> implementations that would make it possible to sign the manifest and all
>>> the package contents:
>>> a. dpkg-sig[2]; I believe this generates an index called "digests" of the
>>>    components of the ar file with corresponding SHA1 and MD5 hashes,
>>>    then adds a GPG signature of that file as digests.asc to the
>>>    archive
>>>
>>> b. GPG signing the .deb directly
>>>
>>
>> I took a quick look at dpkg-sig. Embedding a signature in the .deb by
>> adding an extra file is novel.
>>
>> dpkg-sig itself only handles SHA1 and MD5 though, which we would need to
>> update to something better, and it seems to be unmaintained.
>>
>> I think we should probably add this functionality directly to our click
>> packages generation tool, possibly using the same approach as dpkg-sig,
>> but with a better hashing algorithm, such as SHA512.
>>
> 
> To be clear, in scenario 'a', the developer uploads a deb to the
> appstore server with an embedded signed digest file that the server can
> verify on upload as signed by the developer. At some later point, the
> appstore server creates a signed hash of the deb such that in secure
> mode the user's client device when installing the software will download
> the signed hash and the deb and verify the appstore signature on the
> hash and compare the hash to the downloaded deb. Is this correct?
> 
> 

Yes, the server verifies the signature on the package to make sure the
package does come from the developer, and provides non-repudiation in
case malware ends up in the package on devices.

Once the package has been approved in the app store, the app store hash
list is what is checked on devices.

The package signature can possibly be checked on devices in the case
where a developer wants to try his own packages on his device, and in
the future if we have a system to allow developers to do betas, much
like TestFlight.

Marc.


Attachment: signature.asc
Description: OpenPGP digital signature


References