On 13-06-05 11:39 AM, Loïc Minier wrote: <snip> > Concerning the signed package approach, here are a couple of > implementations that would make it possible to sign the manifest and all > the package contents: > a. dpkg-sig[2]; I believe this generates an index called "digests" of the > components of the ar file with corresponding SHA1 and MD5 hashes, > then adds a GPG signature of that file as digests.asc to the > archive > > b. GPG signing the .deb directly >
I took a quick look at dpkg-sig. Embedding a signature in the .deb by adding an extra file is novel. dpkg-sig itself only handles SHA1 and MD5 though, which we would need to update to something better, and it seems to be unmaintained. I think we should probably add this functionality directly to our click packages generation tool, possibly using the same approach as dpkg-sig, but with a better hashing algorithm, such as SHA512. Marc. -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : ubuntu-appstore-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
