ubuntu-appstore-developers team mailing list archive

[Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>]

Hi all,

We have pushed click package signing to staging, and it'll now
auto-sign any package that gets uploaded there.
Currently, the only package that is signed is called "demo4". Within
the next few days, all packages will be signed.
The file hash is also captured and exposed, completing click package
signing from the store's perspective (well, still needs to land on
production :)).

If you are working on a piece that will verify this on the client,
please take some time to integrate into it, and make sure it works as
expected.
For staging, you will need to side-load the public key[1] into the
device. I do not know how to do that, so whoever figures it out,
please add the instructions to the wiki page[2].
I understand side-loading the key is sub-optimal, and may cause some
CI issues if pointed at staging.
At present, that's the best we can do.

They key for production will be in place next week, and if all goes
well, production will start signing packages as well and soon after
back-sign everything in the store.
I expect things to keep on working if the client-side pieces haven't
landed, or for outdated devices, as nothing will verify the signature.



[1] http://paste.ubuntu.com/7982318/
[2] https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning

-- 
Martin