ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Signed Click packages

To: ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
From: James Tait <james.tait@xxxxxxxxxxxxx>
Date: Thu, 08 Aug 2013 15:15:38 +0100
In-reply-to: <CAAosnquiM=NU=gjA0-4mdsAWBDWO34SbnbRgdSRYs8AWPzv_7w@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/08/13 14:10, Martin Albisetti wrote:
> On Thu, Aug 8, 2013 at 9:55 AM, Colin Watson <cjwatson@xxxxxxxxxx>
> wrote:
>> 
>> If we're having the store sign the binary, that's news to me.
>> It's would be possible, and it would basically amount to
>> appending something to the file; but I thought that the store
>> developers were maxed out on commitments already, and that we
>> were going to be relying on transport security.
> 
> I'm now trying to remember where all this conversation happened, as
> it was very clear in my head but clearly not too far beyond that. 
> The plan was to have the signature in the index metadata, not
> appended to the file, so on download the client can verify it.

I wasn't present for the original discussion of this, but I do clearly
recall you talking about it in a weekly call a couple of weeks back.
My understanding was that the packages would be signed by the
developer before uploading to the store, so we could verify the
upload, and that there would be "a signature" in the click index - in
my mind, this was a detached signature that we'd created, otherwise
we'd have to ship keys for every developer.

Someone better versed in security would have to confirm, but I think
this gives us pretty good assurances:

 - we know that what's on our server hasn't been modified from what the
   developer sent to us.
 - the client knows that what it downloaded from us hasn't been
   modified from what we received.
 - a malicious developer can have their key revoked and we can push
   empty packages as updates.

Apart from the empty packages, isn't this how apt works?

JT
- -- 
James Tait, BSc. | https://launchpad.net/~jamestait/
Software Engineer, Canonical Online Services, Web and Ops Team
Ubuntu - Linux for human beings | www.ubuntu.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlIDqAoACgkQyDo4xMNTLia5NQCaAslGbQmQuxme6b6MbxB6dwSZ
H+YAn1RbXuy3gxubaX9iMZshRX77E0XE
=mSu+
-----END PGP SIGNATURE-----

References

Signed Click packages
From: Colin Watson, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08
Re: Signed Click packages
From: Colin Watson, 2013-08-08
Re: Signed Click packages
From: Martin Albisetti, 2013-08-08