ubuntu-appstore-developers team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 13-06-12 05:29 PM, Martin Albisetti wrote:
> On Wed, Jun 12, 2013 at 6:24 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
>>
>> To be clear, in scenario 'a', the developer uploads a deb to the
>> appstore server with an embedded signed digest file that the server can
>> verify on upload as signed by the developer. At some later point, the
>> appstore server creates a signed hash of the deb such that in secure
>> mode the user's client device when installing the software will download
>> the signed hash and the deb and verify the appstore signature on the
>> hash and compare the hash to the downloaded deb. Is this correct?
> 
> 
> FWIW, for 13.10 the server won't have any capabilities to look at the
> binaries uploaded, so we won't be auto-verifying anything.
> Whether we do for 14.04 depends on the complexity of the verification,
> what we need to store to verify, etc.
> 

This is quite unfortunate. Hopefully we'll be able to verify package
signatures by the time 14.04 arrives, and retro-actively check packages
that have been uploaded in the mean time.

Marc.