ubuntu-appstore-developers team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 06/12/2013 04:29 PM, Martin Albisetti wrote:
> On Wed, Jun 12, 2013 at 6:24 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
>>
>> To be clear, in scenario 'a', the developer uploads a deb to the
>> appstore server with an embedded signed digest file that the server can
>> verify on upload as signed by the developer. At some later point, the
>> appstore server creates a signed hash of the deb such that in secure
>> mode the user's client device when installing the software will download
>> the signed hash and the deb and verify the appstore signature on the
>> hash and compare the hash to the downloaded deb. Is this correct?
> 
> 
> FWIW, for 13.10 the server won't have any capabilities to look at the
> binaries uploaded, so we won't be auto-verifying anything.
> Whether we do for 14.04 depends on the complexity of the verification,
> what we need to store to verify, etc.
> 

If this is the case, the manual review process will need to perform this
step-- this will require safely obtaining the developer's public key and
running the verification tool on the deb.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature