I did some basic research into signed Click packages this morning. This is where we get to start reaping the benefits of using a variant of the .deb format, because debsigs just works out of the box once you set up the appropriate verification policies:
$ gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/393587D97D86500B/cjwatson.gpg --list-keys /usr/share/debsig/keyrings/393587D97D86500B/cjwatson.gpg -------------------------------------------------------- pub 4096R/7D86500B 2009-07-28 uid Colin Watson <[email protected]> uid Colin Watson <[email protected]> uid Colin Watson <[email protected]> uid Colin Watson <[email protected]> sub 4096R/5EF320FC 2009-07-28 $ cat /etc/debsig/policies/393587D97D86500B/generic.pol <?xml version="1.0"?> <!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd";> <Policy xmlns="http://www.debian.org/debsig/1.0/";> <!-- This is mainly a sanity check, since our filename is that of the ID anyway. --> <Origin Name="cjwatson" id="393587D97D86500B" Description="Colin Watson"/> <!-- This is required to match in order for this policy to be used. --> <Selection> <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/> </Selection> <!-- Once we decide to use this policy, this must pass in order to verify the package. --> <Verification> <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/> </Verification> </Policy> $ cp -a ../com.ubuntu.test_1.3_all.click . $ debsig-verify com.ubuntu.test_1.3_all.click; echo $? debsig: Origin Signature check failed. This deb might not be signed. 10 $ debsigs --sign=origin com.ubuntu.test_1.3_all.click You need a passphrase to unlock the secret key for user: "Colin Watson <[email protected]>" 4096-bit RSA key, ID 7D86500B, created 2009-07-28 $ debsig-verify com.ubuntu.test_1.3_all.click; echo $? debsig: Verified package from `Colin Watson' (cjwatson) 0 I won't write new crypto logic if I can possibly help it, so this is a big win even if the policy format isn't necessarily quite what I would have chosen. I'll probably add some new commands to click to do signing and verification, but they'll just pass through to external commands. This does leave a couple of questions: * Does it matter if you need to be in developer mode to install new signature verification policies? (If this is unacceptable, we either need to make sure these directories are transparently on the data partition, or have debsig-verify look in alternate locations that are.) * Do we need a fancy UI for making decisions like "trust all packages from this signer", or is it acceptable for this to be something we document for enthusiasts for now? -- Colin Watson [[email protected]] -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
