On 13-08-08 07:01 AM, Colin Watson wrote: > I did some basic research into signed Click packages this morning. This > is where we get to start reaping the benefits of using a variant of the > .deb format, because debsigs just works out of the box once you set up > the appropriate verification policies: > > $ gpg --no-default-keyring --keyring > /usr/share/debsig/keyrings/393587D97D86500B/cjwatson.gpg --list-keys > /usr/share/debsig/keyrings/393587D97D86500B/cjwatson.gpg > -------------------------------------------------------- > pub 4096R/7D86500B 2009-07-28 > uid Colin Watson <[email protected]> > uid Colin Watson <[email protected]> > uid Colin Watson <[email protected]> > uid Colin Watson <[email protected]> > sub 4096R/5EF320FC 2009-07-28 > > $ cat /etc/debsig/policies/393587D97D86500B/generic.pol > <?xml version="1.0"?> > <!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd";> > <Policy xmlns="http://www.debian.org/debsig/1.0/";> > > <!-- This is mainly a sanity check, since our filename is that of the ID > anyway. --> > <Origin Name="cjwatson" id="393587D97D86500B" Description="Colin Watson"/> > > <!-- This is required to match in order for this policy to be used. --> > <Selection> > <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/> > </Selection> > > <!-- Once we decide to use this policy, this must pass in order to verify > the package. --> > <Verification> > <Required Type="origin" File="cjwatson.gpg" id="393587D97D86500B"/> > </Verification> > > </Policy> > $ cp -a ../com.ubuntu.test_1.3_all.click . > $ debsig-verify com.ubuntu.test_1.3_all.click; echo $? > debsig: Origin Signature check failed. This deb might not be signed. > > 10 > $ debsigs --sign=origin com.ubuntu.test_1.3_all.click > > You need a passphrase to unlock the secret key for > user: "Colin Watson <[email protected]>" > 4096-bit RSA key, ID 7D86500B, created 2009-07-28 > > $ debsig-verify com.ubuntu.test_1.3_all.click; echo $? > debsig: Verified package from `Colin Watson' (cjwatson) > 0 > > I won't write new crypto logic if I can possibly help it, so this is a > big win even if the policy format isn't necessarily quite what I would > have chosen. I'll probably add some new commands to click to do signing > and verification, but they'll just pass through to external commands.
dpkg-sig only seems to handle SHA1 and MD5 though, which is unacceptable. We need to change it to something better, like SHA512. > > This does leave a couple of questions: > > * Does it matter if you need to be in developer mode to install new > signature verification policies? (If this is unacceptable, we either > need to make sure these directories are transparently on the data > partition, or have debsig-verify look in alternate locations that > are.) By 'developer mode', we're talking about opting out of the image-based updates, right? We should probably find a better name for that, it's pretty confusing :) I think app developers would probably want to remain in image-based updates mode, to be able to actually test their apps in the same environment as the shipping devices. > > * Do we need a fancy UI for making decisions like "trust all packages > from this signer", or is it acceptable for this to be something we > document for enthusiasts for now? > I don't think it should have a fancy UI, as I don't think we want to have websites telling people to play with those settings. It should be a developer/debugging thing only, that will likely be only available once you've unlocked the device. Marc. -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
