ubuntu-phone team mailing list archive

Thread
Date

Re: Calling for Click signing

To: Martin Albisetti <argentina@xxxxxxxxx>
From: Ondrej Kubik <ondrej.kubik@xxxxxxxxxxxxx>
Date: Fri, 13 Jun 2014 16:54:00 +0100
Cc: Ubuntu Phone <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAAosnqsZ=dx0LN2Vvw_V4jq7mGL_89PmjuBEUo+rESMeY6DEdA@mail.gmail.com>

On Fri, Jun 13, 2014 at 4:08 PM, Martin Albisetti <argentina@xxxxxxxxx>
wrote:

> On Fri, Jun 13, 2014 at 11:48 AM, Ondrej Kubik
> <ondrej.kubik@xxxxxxxxxxxxx> wrote:
> > If we "auto sign" those packages and then later developer decides to
> update
> > app and sign it with own key, what happened then? Update should them fail
> > right?
>
> All the client cares about is that our signature is valid. It doesn't
> matter what the developer does. Devices will not check developer's
> signatures. We can make sure our servers are aware of the transition
> and handle it appropriately.
>

I believe idea is to make signature check on device side before installing
click, otherwise if we leave check only on server and device installs
anything what comes form server we still have some problem, and it will not
resolve side loading issue.
So I think there is still problem. If we sign all the "unattended"
applications with default key, and then developer decides to update such an
application and sign it with own key, this should be refused by the device,
otherwise there is hole in the security model. Or am I missing something?

>
> > Are we planning to have policy in places allowing apps to share package
> only
> > if they have same signature?
> >
> > If two different apps are coming from same developer and share same
> package
> > name ( and same signature) will they share same sandbox or will they be
> able
> > to peak into each other's sandbox, at least data wise?
>
> We don't have anything in mind yet, and I don't think we'd do it based
> on signatures, but I'll defer that to the security team when the time
> comes.
> Developers get a namespace when they sign up, I'd expect that
> namespace to determine this relationship, rather than signatures.
>
Sorry for term confusion.
Multiple application with same namespace on one device could come only
signed with one same signature.
Yes sandbox boundaries should be determined by namespace. Ideally two apps
in same namespace should be able to share private data.

>
>
> --
> Martin
>

Follow ups

Re: Calling for Click signing
From: Martin Albisetti, 2014-06-13

References

Calling for Click signing
From: Ondrej Kubik, 2014-06-05
Re: Calling for Click signing
From: Martin Albisetti, 2014-06-06
Re: Calling for Click signing
From: Ondrej Kubik, 2014-06-06
Re: Calling for Click signing
From: Martin Albisetti, 2014-06-07
Re: Calling for Click signing
From: Ondrej Kubik, 2014-06-13
Re: Calling for Click signing
From: Martin Albisetti, 2014-06-13