← Back to team overview

ubuntu-appstore-developers team mailing list archive

Re: Signed Click packages

 

On Thu, Aug 08, 2013 at 08:07:41AM -0400, Marc Deslauriers wrote:
> On 13-08-08 07:58 AM, Colin Watson wrote:
> > On Thu, Aug 08, 2013 at 07:54:08AM -0400, Marc Deslauriers wrote:
> >> On 13-08-08 07:01 AM, Colin Watson wrote:
> >>> I won't write new crypto logic if I can possibly help it, so this is a
> >>> big win even if the policy format isn't necessarily quite what I would
> >>> have chosen.  I'll probably add some new commands to click to do signing
> >>> and verification, but they'll just pass through to external commands.
> >>
> >> dpkg-sig only seems to handle SHA1 and MD5 though, which is unacceptable. We
> >> need to change it to something better, like SHA512.
> > 
> > I didn't mention dpkg-sig, which seems to be an entirely different
> > system from debsigs / debsig-verify.
> 
> Oh, wow, that's confusing. Sorry, I'll look into that.

Isn't it just.  They all amount to adding extra ar members, but with
varying details.  None of them are really very enthusiastically
maintained since this isn't how Debian packages are usually signed, but
I think debsigs / debsig-verify are a bit better off.

That said, I haven't reviewed the crypto very much.

> >> I don't think it should have a fancy UI, as I don't think we want to have
> >> websites telling people to play with those settings. It should be a
> >> developer/debugging thing only, that will likely be only available once you've
> >> unlocked the device.
> > 
> > What exactly is the technical meaning of "unlocked" for Ubuntu Touch?
> 
> At some point, for DRM reasons, we may have to lock down the device. This would
> remove root access, and enable some sort of boot time verification, much like on
> android. Details are fuzzy at the moment, as the DRM requirements are still
> unclear. "Unlocking" the device would probably mean putting the device in a
> "developer" mode where DRM gets disabled, but root access is granted.

OK, so we just need to put the signature policies somewhere that's on
the data partition but only writable by root.  That seems natural
enough; it could be implemented by adding options to debsig-verify to
use different policies and keyrings directories.

(Presumably a locked device would also confine the terminal so that you
couldn't just install arbitrary code as your user.  Sounds like quite an
exercise.)

-- 
Colin Watson                                       [cjwatson@xxxxxxxxxx]


References