On 13-06-12 05:29 PM, Martin Albisetti wrote: > On Wed, Jun 12, 2013 at 6:24 PM, Jamie Strandboge <[email protected]> wrote: >> >> To be clear, in scenario 'a', the developer uploads a deb to the >> appstore server with an embedded signed digest file that the server can >> verify on upload as signed by the developer. At some later point, the >> appstore server creates a signed hash of the deb such that in secure >> mode the user's client device when installing the software will download >> the signed hash and the deb and verify the appstore signature on the >> hash and compare the hash to the downloaded deb. Is this correct? > > > FWIW, for 13.10 the server won't have any capabilities to look at the > binaries uploaded, so we won't be auto-verifying anything. > Whether we do for 14.04 depends on the complexity of the verification, > what we need to store to verify, etc. >
This is quite unfortunate. Hopefully we'll be able to verify package signatures by the time 14.04 arrives, and retro-actively check packages that have been uploaded in the mean time. Marc. -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
