On Thu, Aug 8, 2013 at 9:57 AM, Marc Deslauriers <[email protected]> wrote: > On 13-08-08 08:39 AM, Roberto Alsina wrote: >> Also, there is no plan whatsoever to display package signing errors because >> (I >> remember this too ;-) the signature would only be checked on upload, and then >> we'd trust that we are getting the packages securely via HTTPS. > > I don't think HTTPS is enough to be secure. We need to sign the package > checksum > with some sort of store key.
Do you think having split out the signature into the index metadata and verifying that the downloaded file matches with that would be a equal enough approach? -- Martin -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
