ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Signed Click packages

To: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
From: Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>
Date: Thu, 8 Aug 2013 10:11:49 -0300
Cc: Ubuntu Appstore Developers <ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <520395CC.2080002@canonical.com>

On Thu, Aug 8, 2013 at 9:57 AM, Marc Deslauriers
<marc.deslauriers@xxxxxxxxxxxxx> wrote:
> On 13-08-08 08:39 AM, Roberto Alsina wrote:
>> Also, there is no plan whatsoever to display package signing errors because (I
>> remember this too ;-) the signature would only be checked on upload, and then
>> we'd trust that we are getting the packages securely via HTTPS.
>
> I don't think HTTPS is enough to be secure. We need to sign the package checksum
> with some sort of store key.


Do you think having split out the signature into the index metadata
and verifying that the downloaded file matches with that would be a
equal enough approach?

-- 
Martin

Follow ups

Re: Signed Click packages
From: Marc Deslauriers, 2013-08-08

References

Signed Click packages
From: Colin Watson, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08
Re: Signed Click packages
From: Roberto Alsina, 2013-08-08
Re: Signed Click packages
From: Marc Deslauriers, 2013-08-08