ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Signed Click packages

To: Ubuntu Appstore Developers <ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx>
From: Colin Watson <cjwatson@xxxxxxxxxx>
Date: Thu, 8 Aug 2013 14:26:30 +0100
In-reply-to: <CAAosnquiM=NU=gjA0-4mdsAWBDWO34SbnbRgdSRYs8AWPzv_7w@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Aug 08, 2013 at 10:10:56AM -0300, Martin Albisetti wrote:
> On Thu, Aug 8, 2013 at 9:55 AM, Colin Watson <cjwatson@xxxxxxxxxx> wrote:
> > If we're having the store sign the binary, that's news to me.  It's
> > would be possible, and it would basically amount to appending something
> > to the file; but I thought that the store developers were maxed out on
> > commitments already, and that we were going to be relying on transport
> > security.
> 
> I'm now trying to remember where all this conversation happened, as it
> was very clear in my head but clearly not too far beyond that.
> The plan was to have the signature in the index metadata, not appended
> to the file, so on download the client can verify it.

This is no doubt possible but maybe we should revisit it.  I certainly
don't think that the server should modify the control or data elements
of the package, but appending a signature seems tolerable and it would
mean we could use existing tools rather than having to write new ones.

-- 
Colin Watson                                       [cjwatson@xxxxxxxxxx]

Follow ups

Re: Signed Click packages
From: Marc Deslauriers, 2013-08-08

References

Signed Click packages
From: Colin Watson, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08
Re: Signed Click packages
From: Colin Watson, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08