ubuntu-phone team mailing list archive

Thread
Date

Re: Calling for Click signing

To: Martin Albisetti <argentina@xxxxxxxxx>
From: Ondrej Kubik <ondrej.kubik@xxxxxxxxxxxxx>
Date: Fri, 13 Jun 2014 15:48:27 +0100
Cc: Ubuntu Phone <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAAosnqvsBqWckzOOvsM2ia_SdLAn0wQaO10mVVgah-KsJNW2RA@mail.gmail.com>

If we "auto sign" those packages and then later developer decides to update
app and sign it with own key, what happened then? Update should them fail
right?

Are we planning to have policy in places allowing apps to share package
only if they have same signature?

If two different apps are coming from same developer and share same package
name ( and same signature) will they share same sandbox or will they be
able to peak into each other's sandbox, at least data wise?

On Sat, Jun 7, 2014 at 2:04 AM, Martin Albisetti <argentina@xxxxxxxxx>
wrote:

> On Fri, Jun 6, 2014 at 6:25 AM, Ondrej Kubik <ondrej.kubik@xxxxxxxxxxxxx>
> wrote:
> >  What is going to happen to all the existing apps in the store and apps
> > already installed once signing is enabled?
>
> We can decide how to transition. Because the plan is to sign the
> signature, we can choose to sign an empty (or empty-ish) signature for
> those cases, so we'll have a verification that the package on the
> device came from the server.
>
>
> --
> Martin
>

Follow ups

Re: Calling for Click signing
From: Rodney Dawes, 2014-06-13
Re: Calling for Click signing
From: Martin Albisetti, 2014-06-13

References

Calling for Click signing
From: Ondrej Kubik, 2014-06-05
Re: Calling for Click signing
From: Martin Albisetti, 2014-06-06
Re: Calling for Click signing
From: Ondrej Kubik, 2014-06-06
Re: Calling for Click signing
From: Martin Albisetti, 2014-06-07