← Back to team overview

ubuntu-appstore-developers team mailing list archive

Re: Click package signing on staging

 

Hi all,

just a quick update on the status of package signing

staging:
- package signing is enabled
- all existing packages have been signed and re-uploaded (except those that
were invalid click packages, as those bail out during signature
verification)

production:
- package signing is enabled
- all existing packages have been signed and re-uploaded (except those that
were invalid click packages, as those bail out during signature
verification)

After all the signing was done, I've confirmed we have 0 published uploads
that are missing the signature.

We're now ready to start verifying click packages and their signatures on
the phone.



On Thu, Aug 7, 2014 at 4:42 PM, Martin Albisetti <
martin.albisetti@xxxxxxxxxxxxx> wrote:

> Hi all,
>
> We have pushed click package signing to staging, and it'll now
> auto-sign any package that gets uploaded there.
> Currently, the only package that is signed is called "demo4". Within
> the next few days, all packages will be signed.
> The file hash is also captured and exposed, completing click package
> signing from the store's perspective (well, still needs to land on
> production :)).
>
> If you are working on a piece that will verify this on the client,
> please take some time to integrate into it, and make sure it works as
> expected.
> For staging, you will need to side-load the public key[1] into the
> device. I do not know how to do that, so whoever figures it out,
> please add the instructions to the wiki page[2].
> I understand side-loading the key is sub-optimal, and may cause some
> CI issues if pointed at staging.
> At present, that's the best we can do.
>
> They key for production will be in place next week, and if all goes
> well, production will start signing packages as well and soon after
> back-sign everything in the store.
> I expect things to keep on working if the client-side pieces haven't
> landed, or for outdated devices, as nothing will verify the signature.
>
>
>
> [1] http://paste.ubuntu.com/7982318/
> [2]
> https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning
>
> --
> Martin
>
> --
> Mailing list: https://launchpad.net/~ubuntu-appstore-developers
> Post to     : ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers
> More help   : https://help.launchpad.net/ListHelp
>



On Thu, Aug 7, 2014 at 4:42 PM, Martin Albisetti <
martin.albisetti@xxxxxxxxxxxxx> wrote:

> Hi all,
>
> We have pushed click package signing to staging, and it'll now
> auto-sign any package that gets uploaded there.
> Currently, the only package that is signed is called "demo4". Within
> the next few days, all packages will be signed.
> The file hash is also captured and exposed, completing click package
> signing from the store's perspective (well, still needs to land on
> production :)).
>
> If you are working on a piece that will verify this on the client,
> please take some time to integrate into it, and make sure it works as
> expected.
> For staging, you will need to side-load the public key[1] into the
> device. I do not know how to do that, so whoever figures it out,
> please add the instructions to the wiki page[2].
> I understand side-loading the key is sub-optimal, and may cause some
> CI issues if pointed at staging.
> At present, that's the best we can do.
>
> They key for production will be in place next week, and if all goes
> well, production will start signing packages as well and soon after
> back-sign everything in the store.
> I expect things to keep on working if the client-side pieces haven't
> landed, or for outdated devices, as nothing will verify the signature.
>
>
>
> [1] http://paste.ubuntu.com/7982318/
> [2]
> https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning
>
> --
> Martin
>
> --
> Mailing list: https://launchpad.net/~ubuntu-appstore-developers
> Post to     : ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

References