Hi Baptiste, I have implemented some features on Crosswalk installer, I think they may be useful for your reference.
1. https://github.com/crosswalk-project/crosswalk/pull/2518. For this pull request, it implement the features below: l Parser Tizen privileges from config.xml of wgt l Register application’s permission to Cynara policy l Call security manager to set smack label for files in the widget I think you can use some code directly and send pull request in Tizen gerrit 2. https://github.com/crosswalk-project/crosswalk/pull/2169 https://github.com/crosswalk-project/crosswalk/pull/2291 https://github.com/crosswalk-project/crosswalk/pull/2422 For these pull requests, they implemented features Tizen widget signature checking Best Regards Zhang Xu From: Dev [mailto:[email protected]] On Behalf Of Baptiste Durand Sent: Friday, November 21, 2014 12:41 AM To: Pawel Sikorski Cc: [email protected] Subject: Re: [Dev] App Installer WorkShop Status Hi Pawel, Please remember that all apps should follow the same workflow. That means all applications should have be managed in the same especially for security task, that should be common for all applications but we can't add specific step if an installation for a designed type of app requires ones. The encryption is specific WRT you are right so we should be able to handle it. When we initialize the app_installer for wgt, we will adjust the list of step by adding a encryption step dedicated to widget. About the implementation It would be preferable that encryption should be done by a platform service Let me clarify this point. I let you know what my complete point of view. Thanks BR Baptiste 2014-11-20 17:14 GMT+01:00 Pawel Sikorski <[email protected]<mailto:[email protected]>>: Dear Baptiste, Thank You for sharing the status. We had a small discussion about the *Encryption feature*. Please see a description of this requirement below and its current status. -------------------- ------------------------------------------------------------ Link to above spec: https://developer.tizen.org/dev-guide/2.2.1/org.tizen.web.appprogramming/html/basics_tizen_programming/web_security_privacy.htm Link to specification: https://source.tizen.org/sites/default/files/page/tizen-2.2-wrt-core-spec.pdf 5.2. Web Application Protection 0650. For Web Applications that explicitly turn on encryption through the <tizen:setting /> element in the configuration file, the WRT MUST provide the following measures to protect Web Application resources: * The WRT MUST encrypt the HTML, JS, and CSS file resources of the Web Application stored by the device. * When the Web Application is being run, the WRT MUST decrypt the encrypted resources (HTML, JS, and CSS) in a manner transparent to the application itself." Crosswalk implementation details: Currently application is being encrypted during widget installation process (encrypted file types: *.js, *.html, *.css, *.xhtml). Encryption starts in xwalk_package_installer.cc:407 (method Install()). These files are encrypted with AES key, which is generated with help of chromium's "crypto" module and with usage of the same library they are decrypted. After encryption key is saved in tizen's secure-storage (libss-client and ss-server packages). Key is generated for each file separately. Files are decrypted in memory during runtime with usage of key located in secure-storage. Decryption is covered in class URLRequestApplicationJobTizen (application_protocols.cc:181). Link to PR: https://github.com/crosswalk-project/crosswalk/pull/2467 Link to XWALK bug: https://crosswalk-project.org/jira/browse/XWALK-1172 -------------------------------------------------------------------------------- What do you think about that? It looks as a specific step just for Web Applications. Best Regards, Pawel Sikorski From: Dev [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Baptiste Durand Sent: Thursday, November 20, 2014 5:02 PM To: [email protected]<mailto:[email protected]> Subject: [Dev] App Installer WorkShop Status Hi all Here is the status of the Work shop about App_installer package confcall 20th of November Present : Pawel Sikorski , Dominique Le Foll, Baptiste Durand ------------------------------ ------------------------------------------------------------------------------------------ Business logic location : A decision has been taken to re localize the business logic in the frontend, that means installer backend should not have a specific logic. In consequences, the backend installation should be able to execute a request ( install / uninstall / reinstall / update a package) That means if an installation fails because the package is already installed an exception should be thrown by backend, there won't no implicit update. ------------------------------ ------------------------------------------------------------------------------------------ List of step for installation : Here the list for an app installation 1) Unpack archive 2) Signature step 2a)signature validation 2b) certificate check 2c) Extraction of level of signature (Platdorm/ Partner ...) 3) Extration of manifest 3a) Extraction of privileges and comparison with signature level 4) Creation of final Directory + Cpopy of Applciation files 5) Generate final manifest.xml + Generate desktop File 6) Register applications in database. 7) Security manager calls for Set smack Label Samsung Poland team is in charge to find how the steps 2a/b/c & 3a should be handled. (Security Manager could be a candidate to do this check) ------------------------------------------------------------------------------------------------------------------------------ Other mode of Installation It was concluded that for now only Offline Installation is relevant. Offline installation should be handled by a dedicated set of steps. The wiki will be updated following this. BR -- Baptiste DURAND Eurogiciel Vannes/FR -- Baptiste DURAND Eurogiciel Vannes/FR
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
