ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Signed Click packages

To: Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 08 Aug 2013 09:33:54 -0400
Cc: Ubuntu Appstore Developers <ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAAosnqvo+Px6uFroDURAH=Fj_YX6QDf1hzkJ5L7+gRaE38YkZg@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

On 13-08-08 09:11 AM, Martin Albisetti wrote:
> On Thu, Aug 8, 2013 at 9:57 AM, Marc Deslauriers
> <marc.deslauriers@xxxxxxxxxxxxx> wrote:
>> On 13-08-08 08:39 AM, Roberto Alsina wrote:
>>> Also, there is no plan whatsoever to display package signing errors because (I
>>> remember this too ;-) the signature would only be checked on upload, and then
>>> we'd trust that we are getting the packages securely via HTTPS.
>>
>> I don't think HTTPS is enough to be secure. We need to sign the package checksum
>> with some sort of store key.
> 
> 
> Do you think having split out the signature into the index metadata
> and verifying that the downloaded file matches with that would be a
> equal enough approach?

If I'm understanding your approach correctly, yes.

Ie:

1- Ship an appstore key on the device
2- server creates signature for uploaded packages, and stores with metadata that
gets downloaded
3- package installer verifies package signature located in metadata with
appstore key

Marc.

Follow ups

Re: Signed Click packages
From: Colin Watson, 2013-08-08

References

Signed Click packages
From: Colin Watson, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08
Re: Signed Click packages
From: Roberto Alsina, 2013-08-08
Re: Signed Click packages
From: Marc Deslauriers, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08