Difference between revisions of "Application Signing"
Jump to navigation
Jump to search
| (12 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
Palm uses the following technique to verify the authenticity of a webOS application: | Palm uses the following technique to verify the authenticity of a webOS application: | ||
| − | + | ApplicationInstallerUtility -v -n -c install -p file.ipk | |
| − | + | ar xv file.ipk | |
| − | + | openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem | |
| − | + | openssl x509 -in cert.pem -pubkey > pubkey.pem | |
| − | + | cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1 | |
| − | + | ipkg -o /var -force-overwrite install file.ipk | |
Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges. | Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges. | ||
| Line 16: | Line 16: | ||
The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT. | The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT. | ||
| − | To | + | To install a signed package you insert the package's installation informaiton into the InstallHistory and the package will be downloaded and installed on the next system restart or the next time an app is queued for download by the app catalog. |
| − | + | ||
| − | + | The key to this is the status field, a value of 1 means that there's something new to install. | |
| + | |||
| + | This is also the mechanism MetaDoctor uses to have apps installed on doctoring. | ||
| + | |||
| + | INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "1.1.4", "title": "Preware", "vendor": "WebOS Internals", "vendorUrl": "http://www.webos-internals.org/", "iconUrl": "http://www.webos-internals.org/images/e/e4/Icon_Preware.png", "iconFile": "", "ipkUrl": "http://ipkg.preware.org/feeds/webos-internals/armv7/org.webosinternals.preware_1.1.4_arm.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }'); | ||
| + | |||
| + | This is an example of the minimum record contents required: | ||
| + | |||
| + | INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "", "title": "Preware", "vendor": "", "vendorUrl": "", "iconUrl": "http://get.preware.org/org.webosinternals.preware.png", "iconFile": "", "ipkUrl": "http://get.preware.org/org.webosinternals.preware.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }'); | ||
| + | |||
| + | |||
| + | For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html | ||
| + | |||
| + | bash-3.2$ cat jail_app.conf | ./sign.sh > sig | ||
| + | bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig | ||
| + | bash-3.2$ cat sign.sh | ||
| + | openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \ | ||
| + | (echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----) | ||
| + | |||
| + | To disable jailing for a specific service, put a line like the following in /var/palm/data/jailusers: | ||
| + | 4999:5000:org.webosinternals.service:/dev/null:/etc/jail_native-palm.conf | ||
| + | |||
| + | (note that the above jail exclusion does not seem to work for PDK plugins on webOS 3.x) | ||
Latest revision as of 05:39, 17 July 2011
Palm uses the following technique to verify the authenticity of a webOS application:
ApplicationInstallerUtility -v -n -c install -p file.ipk ar xv file.ipk openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem openssl x509 -in cert.pem -pubkey > pubkey.pem cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1 ipkg -o /var -force-overwrite install file.ipk
Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.
The Preware.org root certificate (preware-ca-bundle.crt) has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec 7 10:11:22 2019 GMT.
The WebOS Internals signing certificate (org.webosinternals.crt) has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on Jan 5 10:51:08 2012 GMT.
The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT.
To install a signed package you insert the package's installation informaiton into the InstallHistory and the package will be downloaded and installed on the next system restart or the next time an app is queued for download by the app catalog.
The key to this is the status field, a value of 1 means that there's something new to install.
This is also the mechanism MetaDoctor uses to have apps installed on doctoring.
INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "1.1.4", "title": "Preware", "vendor": "WebOS Internals", "vendorUrl": "http://www.webos-internals.org/", "iconUrl": "http://www.webos-internals.org/images/e/e4/Icon_Preware.png", "iconFile": "", "ipkUrl": "http://ipkg.preware.org/feeds/webos-internals/armv7/org.webosinternals.preware_1.1.4_arm.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');
This is an example of the minimum record contents required:
INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "", "title": "Preware", "vendor": "", "vendorUrl": "", "iconUrl": "http://get.preware.org/org.webosinternals.preware.png", "iconFile": "", "ipkUrl": "http://get.preware.org/org.webosinternals.preware.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');
For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html
bash-3.2$ cat jail_app.conf | ./sign.sh > sig bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig bash-3.2$ cat sign.sh openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \ (echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----)
To disable jailing for a specific service, put a line like the following in /var/palm/data/jailusers: 4999:5000:org.webosinternals.service:/dev/null:/etc/jail_native-palm.conf
(note that the above jail exclusion does not seem to work for PDK plugins on webOS 3.x)