ubuntu-appstore-developers team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 13-08-08 07:01 AM, Colin Watson wrote:
> I did some basic research into signed Click packages this morning.  This
> is where we get to start reaping the benefits of using a variant of the
> .deb format, because debsigs just works out of the box once you set up
> the appropriate verification policies:
> 
>   $ gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/393587D97D86500B/cjwatson.gpg --list-keys
>   /usr/share/debsig/keyrings/393587D97D86500B/cjwatson.gpg
>   --------------------------------------------------------
>   pub   4096R/7D86500B 2009-07-28
>   uid                  Colin Watson <cjwatson@xxxxxxxxxxxxxxxxxxxxxx>
>   uid                  Colin Watson <cjwatson@xxxxxxxxxxxxx>
>   uid                  Colin Watson <cjwatson@xxxxxxxxxx>
>   uid                  Colin Watson <cjwatson@xxxxxxxxxx>
>   sub   4096R/5EF320FC 2009-07-28
>   
>   $ cat /etc/debsig/policies/393587D97D86500B/generic.pol
>   <?xml version="1.0"?>
>   <!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd";>
>   <Policy xmlns="http://www.debian.org/debsig/1.0/";>
>   
>     <!-- This is mainly a sanity check, since our filename is that of the ID
>          anyway. -->
>     <Origin Name="cjwatson" id="393587D97D86500B" Description="Colin Watson"/>
>   
>     <!-- This is required to match in order for this policy to be used. -->
>     <Selection>
>       <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/>
>     </Selection>
>   
>     <!-- Once we decide to use this policy, this must pass in order to verify
>          the package. -->
>     <Verification>
>       <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/>
>     </Verification>
>   
>   </Policy>
>   $ cp -a ../com.ubuntu.test_1.3_all.click .
>   $ debsig-verify com.ubuntu.test_1.3_all.click; echo $?
>   debsig: Origin Signature check failed. This deb might not be signed.
>   
>   10
>   $ debsigs --sign=origin com.ubuntu.test_1.3_all.click
>   
>   You need a passphrase to unlock the secret key for
>   user: "Colin Watson <cjwatson@xxxxxxxxxxxxxxxxxxxxxx>"
>   4096-bit RSA key, ID 7D86500B, created 2009-07-28
>   
>   $ debsig-verify com.ubuntu.test_1.3_all.click; echo $?
>   debsig: Verified package from `Colin Watson' (cjwatson)
>   0
> 
> I won't write new crypto logic if I can possibly help it, so this is a
> big win even if the policy format isn't necessarily quite what I would
> have chosen.  I'll probably add some new commands to click to do signing
> and verification, but they'll just pass through to external commands.

dpkg-sig only seems to handle SHA1 and MD5 though, which is unacceptable. We
need to change it to something better, like SHA512.

> 
> This does leave a couple of questions:
> 
>  * Does it matter if you need to be in developer mode to install new
>    signature verification policies?  (If this is unacceptable, we either
>    need to make sure these directories are transparently on the data
>    partition, or have debsig-verify look in alternate locations that
>    are.)

By 'developer mode', we're talking about opting out of the image-based updates,
right? We should probably find a better name for that, it's pretty confusing :)

I think app developers would probably want to remain in image-based updates
mode, to be able to actually test their apps in the same environment as the
shipping devices.

> 
>  * Do we need a fancy UI for making decisions like "trust all packages
>    from this signer", or is it acceptable for this to be something we
>    document for enthusiasts for now?
> 

I don't think it should have a fancy UI, as I don't think we want to have
websites telling people to play with those settings. It should be a
developer/debugging thing only, that will likely be only available once you've
unlocked the device.

Marc.