ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Click package signing on staging

To: Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>
From: Michael Vogt <mvo@xxxxxxxxxx>
Date: Thu, 21 Aug 2014 09:33:55 +0200
Cc: Ubuntu Appstore Developers <ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAAosnqua0JXEBv66cD+R432mesUY5bOAZ6DM-_T8+S7j2RcH7Q@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On Mon, Aug 18, 2014 at 05:32:44PM -0300, Martin Albisetti wrote:
> On Mon, Aug 18, 2014 at 3:56 PM, Michael Vogt <mvo@xxxxxxxxxx> wrote:
> > Help appreciated to get the right pubkey for production :)
> 
> *looks down in shame for not checking*
> That is the staging key.
> 
> Here is the production key: http://paste.ubuntu.com/8082832/

Thanks! This key works fine.

The client side of the signature support is ready in landing silo 006
and works well for me in my testing on the phone and on the desktop.
It has not landed yet because we are in TRAINCON-0 though. The
required new packages debsig-verify and click-ubuntu-policy are seeded
too.

Once this has landed you will have to pass "--allow-unauthenticated"
to click in order to install unsigned packages (like your local test
clicks :). Something like:

# click install --user=phablet --allow-unauthenticated foo_1.0.click

should work. Click will refuse to install any unsigned clicks by
default now.

Cheers,
 Michael

P.S. Iirc the server team asked for support in debsig-verify to place
policy/keyring in other directories than /etc, /usr/share - this is
now possible with the --root option in debsig-verify git.

References

Click package signing on staging
From: Martin Albisetti, 2014-08-07
Re: Click package signing on staging
From: Ricardo Kirkner, 2014-08-14
Re: Click package signing on staging
From: Martin Albisetti, 2014-08-18
Re: Click package signing on staging
From: Michael Vogt, 2014-08-18
Re: Click package signing on staging
From: Martin Albisetti, 2014-08-18