← Back to team overview

ubuntu-appstore-developers team mailing list archive

Signed Click packages


I did some basic research into signed Click packages this morning.  This
is where we get to start reaping the benefits of using a variant of the
.deb format, because debsigs just works out of the box once you set up
the appropriate verification policies:

  $ gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/393587D97D86500B/cjwatson.gpg --list-keys
  pub   4096R/7D86500B 2009-07-28
  uid                  Colin Watson <cjwatson@xxxxxxxxxxxxxxxxxxxxxx>
  uid                  Colin Watson <cjwatson@xxxxxxxxxxxxx>
  uid                  Colin Watson <cjwatson@xxxxxxxxxx>
  uid                  Colin Watson <cjwatson@xxxxxxxxxx>
  sub   4096R/5EF320FC 2009-07-28
  $ cat /etc/debsig/policies/393587D97D86500B/generic.pol
  <?xml version="1.0"?>
  <!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd";>
  <Policy xmlns="http://www.debian.org/debsig/1.0/";>
    <!-- This is mainly a sanity check, since our filename is that of the ID
         anyway. -->
    <Origin Name="cjwatson" id="393587D97D86500B" Description="Colin Watson"/>
    <!-- This is required to match in order for this policy to be used. -->
      <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/>
    <!-- Once we decide to use this policy, this must pass in order to verify
         the package. -->
      <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/>
  $ cp -a ../com.ubuntu.test_1.3_all.click .
  $ debsig-verify com.ubuntu.test_1.3_all.click; echo $?
  debsig: Origin Signature check failed. This deb might not be signed.
  $ debsigs --sign=origin com.ubuntu.test_1.3_all.click
  You need a passphrase to unlock the secret key for
  user: "Colin Watson <cjwatson@xxxxxxxxxxxxxxxxxxxxxx>"
  4096-bit RSA key, ID 7D86500B, created 2009-07-28
  $ debsig-verify com.ubuntu.test_1.3_all.click; echo $?
  debsig: Verified package from `Colin Watson' (cjwatson)

I won't write new crypto logic if I can possibly help it, so this is a
big win even if the policy format isn't necessarily quite what I would
have chosen.  I'll probably add some new commands to click to do signing
and verification, but they'll just pass through to external commands.

This does leave a couple of questions:

 * Does it matter if you need to be in developer mode to install new
   signature verification policies?  (If this is unacceptable, we either
   need to make sure these directories are transparently on the data
   partition, or have debsig-verify look in alternate locations that

 * Do we need a fancy UI for making decisions like "trust all packages
   from this signer", or is it acceptable for this to be something we
   document for enthusiasts for now?

Colin Watson                                       [cjwatson@xxxxxxxxxx]

Follow ups