ubuntu-appstore-developers team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 13-08-08 09:36 AM, Marc Deslauriers wrote:
> On 13-08-08 09:26 AM, Colin Watson wrote:
>> On Thu, Aug 08, 2013 at 10:10:56AM -0300, Martin Albisetti wrote:
>>> On Thu, Aug 8, 2013 at 9:55 AM, Colin Watson <cjwatson@xxxxxxxxxx> wrote:
>>>> If we're having the store sign the binary, that's news to me.  It's
>>>> would be possible, and it would basically amount to appending something
>>>> to the file; but I thought that the store developers were maxed out on
>>>> commitments already, and that we were going to be relying on transport
>>>> security.
>>>
>>> I'm now trying to remember where all this conversation happened, as it
>>> was very clear in my head but clearly not too far beyond that.
>>> The plan was to have the signature in the index metadata, not appended
>>> to the file, so on download the client can verify it.
>>
>> This is no doubt possible but maybe we should revisit it.  I certainly
>> don't think that the server should modify the control or data elements
>> of the package, but appending a signature seems tolerable and it would
>> mean we could use existing tools rather than having to write new ones.
>>
> 
> There's possibly two different approaches here:
> 
> 1- We modify the package by adding an appstore signature to the package itself.
> 
> Advantage: uses existing tools
> Disadvantage: We're altering the file that was uploaded by the app developer
> 
> 2- We add an appstore package signature to the appstore metadata
> 
> Advantage: Application file remains intact
> Disadvantage: requires some tooling
> 

or:

3- gpg sign the click packages directly with the appstore key?

Marc.