Hi all, We have pushed click package signing to staging, and it'll now auto-sign any package that gets uploaded there. Currently, the only package that is signed is called "demo4". Within the next few days, all packages will be signed. The file hash is also captured and exposed, completing click package signing from the store's perspective (well, still needs to land on production :)).
If you are working on a piece that will verify this on the client, please take some time to integrate into it, and make sure it works as expected. For staging, you will need to side-load the public key[1] into the device. I do not know how to do that, so whoever figures it out, please add the instructions to the wiki page[2]. I understand side-loading the key is sub-optimal, and may cause some CI issues if pointed at staging. At present, that's the best we can do. They key for production will be in place next week, and if all goes well, production will start signing packages as well and soon after back-sign everything in the store. I expect things to keep on working if the client-side pieces haven't landed, or for outdated devices, as nothing will verify the signature. [1] http://paste.ubuntu.com/7982318/ [2] https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning -- Martin -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
