ubuntu-appstore-developers team mailing list archive
-
ubuntu-appstore-developers team
-
Mailing list archive
-
Message #00087
Re: Embedded package signatures vs. transport level security
On 06/12/2013 04:29 PM, Martin Albisetti wrote:
> On Wed, Jun 12, 2013 at 6:24 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
>>
>> To be clear, in scenario 'a', the developer uploads a deb to the
>> appstore server with an embedded signed digest file that the server can
>> verify on upload as signed by the developer. At some later point, the
>> appstore server creates a signed hash of the deb such that in secure
>> mode the user's client device when installing the software will download
>> the signed hash and the deb and verify the appstore signature on the
>> hash and compare the hash to the downloaded deb. Is this correct?
>
>
> FWIW, for 13.10 the server won't have any capabilities to look at the
> binaries uploaded, so we won't be auto-verifying anything.
> Whether we do for 14.04 depends on the complexity of the verification,
> what we need to store to verify, etc.
>
If this is the case, the manual review process will need to perform this
step-- this will require safely obtaining the developer's public key and
running the verification tool on the deb.
--
Jamie Strandboge http://www.ubuntu.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
References