Hi all, just a quick update on the status of package signing
staging: - package signing is enabled - all existing packages have been signed and re-uploaded (except those that were invalid click packages, as those bail out during signature verification) production: - package signing is enabled - all existing packages have been signed and re-uploaded (except those that were invalid click packages, as those bail out during signature verification) After all the signing was done, I've confirmed we have 0 published uploads that are missing the signature. We're now ready to start verifying click packages and their signatures on the phone. On Thu, Aug 7, 2014 at 4:42 PM, Martin Albisetti < [email protected]> wrote: > Hi all, > > We have pushed click package signing to staging, and it'll now > auto-sign any package that gets uploaded there. > Currently, the only package that is signed is called "demo4". Within > the next few days, all packages will be signed. > The file hash is also captured and exposed, completing click package > signing from the store's perspective (well, still needs to land on > production :)). > > If you are working on a piece that will verify this on the client, > please take some time to integrate into it, and make sure it works as > expected. > For staging, you will need to side-load the public key[1] into the > device. I do not know how to do that, so whoever figures it out, > please add the instructions to the wiki page[2]. > I understand side-loading the key is sub-optimal, and may cause some > CI issues if pointed at staging. > At present, that's the best we can do. > > They key for production will be in place next week, and if all goes > well, production will start signing packages as well and soon after > back-sign everything in the store. > I expect things to keep on working if the client-side pieces haven't > landed, or for outdated devices, as nothing will verify the signature. > > > > [1] http://paste.ubuntu.com/7982318/ > [2] > https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning > > -- > Martin > > -- > Mailing list: https://launchpad.net/~ubuntu-appstore-developers > Post to : [email protected] > Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers > More help : https://help.launchpad.net/ListHelp > On Thu, Aug 7, 2014 at 4:42 PM, Martin Albisetti < [email protected]> wrote: > Hi all, > > We have pushed click package signing to staging, and it'll now > auto-sign any package that gets uploaded there. > Currently, the only package that is signed is called "demo4". Within > the next few days, all packages will be signed. > The file hash is also captured and exposed, completing click package > signing from the store's perspective (well, still needs to land on > production :)). > > If you are working on a piece that will verify this on the client, > please take some time to integrate into it, and make sure it works as > expected. > For staging, you will need to side-load the public key[1] into the > device. I do not know how to do that, so whoever figures it out, > please add the instructions to the wiki page[2]. > I understand side-loading the key is sub-optimal, and may cause some > CI issues if pointed at staging. > At present, that's the best we can do. > > They key for production will be in place next week, and if all goes > well, production will start signing packages as well and soon after > back-sign everything in the store. > I expect things to keep on working if the client-side pieces haven't > landed, or for outdated devices, as nothing will verify the signature. > > > > [1] http://paste.ubuntu.com/7982318/ > [2] > https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning > > -- > Martin > > -- > Mailing list: https://launchpad.net/~ubuntu-appstore-developers > Post to : [email protected] > Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers > More help : https://help.launchpad.net/ListHelp >
-- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
