← Back to team overview

ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Signed Click packages

To: ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 08 Aug 2013 08:57:48 -0400
In-reply-to: <CALd9vb9uYSPskxYrVdEdFXHdcdAsNP6AwZ54QBWPeLoR_OoNgQ@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

On 13-08-08 08:39 AM, Roberto Alsina wrote:
> Also, there is no plan whatsoever to display package signing errors because (I
> remember this too ;-) the signature would only be checked on upload, and then
> we'd trust that we are getting the packages securely via HTTPS.

I don't think HTTPS is enough to be secure. We need to sign the package checksum
with some sort of store key.

Marc.

Follow ups

Re: Signed Click packages
From: Martin Albisetti, 2013-08-08

References

Signed Click packages
From: Colin Watson, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08
Re: Signed Click packages
From: Roberto Alsina, 2013-08-08