Hello We will would need to implement the support of developer app signatures in the Marketplace and Firefox OS [1] because the support of NFC payment, scheduled for Firefox OS 2.2, would require this feature for the Wallet app.
Right now, privileged apps on the Marketplace are signed by Mozilla using Jarsigner and a PKCS#7 signature. [2] For specific reasons detailed below [3], we need to support a signature model compatible with the Android model [4]. Until now, the Marketplace has been using the same tools/model. If we're to support developer signing, we can imagine several models: 1) handling multiple signatures: the app is signed twice, once by the developer and once by the Marketplace (e.g.: having two manifest files in META-INF signed by each key) 2) the app is signed once by the developer key 3) the app is signed once by a developer key which is trusted and signed by Mozilla (2) is similar to what happens in Android: Android app is signed by the developer but not by the Google Play store [5]. Losing the marketplace certificate would be a bad idea from security point of view. Since generating and keeping the key safe is of the developer's responsibility, we have no guarantee it will be done securely enough. The developer's private key can be self-signed and/or not strong enough. The developer could enter an empty password for the key. It could be stored in a insecure location, etc. So the Marketplace certificate should still play the role of the trusted authority, which adds a layer of security we have control over. Any thoughts about the propositions and the way of implementing developer signature support? [1] Vendor signature for apps on the marketplace: https://bugzilla.mozilla.org/show_bug.cgi?id=973823 [2] Signing service: https://wiki.mozilla.org/Apps/PrivilegedApplication/SigningService [3] Some background: NFC Secure Element and Access Control * NFC payment includes the support of NFC Secure Element (see bug 879861). The Secure Element is a chip which in our case is integrated in the SIM card. It provides a more secure execution environment and stores credentials and payment services (applets) to be accessed from apps. * An Access Control Enforcer component (implemented in Gecko) prevents non-authorized apps to access payment services applets. This is done by checking a file stored on the SIM card and containing ACL rules: each app must be explicitly authorized to access a given applet. In the Android model, it checks the SHA-1 hash of the developer's certificate used to sign the app. The carrier initially pushed these ACL rules into the SIM card. * The carrier working with us on this project has already deployed an architecture to support NFC payment on Android devices and their SIM cards. Updating SIM cards and pushing ACL rules is a rather unreliable process (high rate of failure). Therefore, Firefox OS has to use the same ACL rules as on Android, which means it has to support developer app signing. [4] https://developer.android.com/tools/publishing/app-signing.html [5] How does Android app signature verification work: http://stackoverflow.com/questions/10938298/how-does-androids-app-signature-verification-work Stéphanie _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
