On Thu, Aug 08, 2013 at 10:10:56AM -0300, Martin Albisetti wrote: > On Thu, Aug 8, 2013 at 9:55 AM, Colin Watson <[email protected]> wrote: > > If we're having the store sign the binary, that's news to me. It's > > would be possible, and it would basically amount to appending something > > to the file; but I thought that the store developers were maxed out on > > commitments already, and that we were going to be relying on transport > > security. > > I'm now trying to remember where all this conversation happened, as it > was very clear in my head but clearly not too far beyond that. > The plan was to have the signature in the index metadata, not appended > to the file, so on download the client can verify it.
This is no doubt possible but maybe we should revisit it. I certainly don't think that the server should modify the control or data elements of the package, but appending a signature seems tolerable and it would mean we could use existing tools rather than having to write new ones. -- Colin Watson [[email protected]] -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
