On 06/12/2013 04:29 PM, Martin Albisetti wrote: > On Wed, Jun 12, 2013 at 6:24 PM, Jamie Strandboge <[email protected]> wrote: >> >> To be clear, in scenario 'a', the developer uploads a deb to the >> appstore server with an embedded signed digest file that the server can >> verify on upload as signed by the developer. At some later point, the >> appstore server creates a signed hash of the deb such that in secure >> mode the user's client device when installing the software will download >> the signed hash and the deb and verify the appstore signature on the >> hash and compare the hash to the downloaded deb. Is this correct? > > > FWIW, for 13.10 the server won't have any capabilities to look at the > binaries uploaded, so we won't be auto-verifying anything. > Whether we do for 14.04 depends on the complexity of the verification, > what we need to store to verify, etc. >
If this is the case, the manual review process will need to perform this step-- this will require safely obtaining the developer's public key and running the verification tool on the deb. -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
