Difference between revisions of "Application Signing"
| Line 31: | Line 31: | ||
For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html | For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html | ||
| − | bash-3.2$ cat jail_app.conf | ./sign.sh > sig | + | bash-3.2$ cat jail_app.conf | ./sign.sh > sig |
| − | bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig | + | bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig |
| − | bash-3.2$ cat sign.sh | + | bash-3.2$ cat sign.sh |
| − | openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \ | + | openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \ |
| − | (echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----) | + | (echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----) |
Revision as of 13:33, 19 December 2010
Palm uses the following technique to verify the authenticity of a webOS application:
ApplicationInstallerUtility -v -n -c install -p file.ipk ar xv file.ipk openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem openssl x509 -in cert.pem -pubkey > pubkey.pem cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1 ipkg -o /var -force-overwrite install file.ipk
Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.
The Preware.org root certificate (preware-ca-bundle.crt) has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec 7 10:11:22 2019 GMT.
The WebOS Internals signing certificate (org.webosinternals.crt) has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on Jan 5 10:51:08 2012 GMT.
The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT.
To install a signed package you insert the package's installation informaiton into the InstallHistory and the package will be downloaded and installed on the next system restart or the next time an app is queued for download by the app catalog.
The key to this is the status field, a value of 1 means that there's something new to install.
This is also the mechanism MetaDoctor uses to have apps installed on doctoring.
INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "1.1.4", "title": "Preware", "vendor": "WebOS Internals", "vendorUrl": "http://www.webos-internals.org/", "iconUrl": "http://www.webos-internals.org/images/e/e4/Icon_Preware.png", "iconFile": "", "ipkUrl": "http://ipkg.preware.org/feeds/webos-internals/armv7/org.webosinternals.preware_1.1.4_arm.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');
This is an example of the minimum record contents required:
INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "", "title": "Preware", "vendor": "", "vendorUrl": "", "iconUrl": "http://get.preware.org/org.webosinternals.preware.png", "iconFile": "", "ipkUrl": "http://get.preware.org/org.webosinternals.preware.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');
For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html
bash-3.2$ cat jail_app.conf | ./sign.sh > sig bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig bash-3.2$ cat sign.sh openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \ (echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----)