Difference between revisions of "Application Signing"

Revision as of 12:23, 6 December 2009

Palm uses the following technique to verify the authenticity of a webOS application:

execve("/usr/bin/ApplicationInstallerUtility", ["ApplicationInstallerUtility", "-v", "-n", "-c", "install", "-p", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 12 vars */]) = 0
[pid  4427] execve("/usr/bin/arm-none-linux-gnueabi-ar", ["/usr/bin/arm-none-linux-gnueabi-ar", "xv", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 1 var */]) = 0
[pid  4429] execve("/usr/ bin/openssl", ["openssl", "verify", "-CAfile", "/etc/ssl/certs/appsigning-bundle.crt", "/home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/cert.pem"], [/* 12 vars */]) = 0
[pid  4430] execve("/bin/sh", ["sh", "-c", "openssl x509 -in /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/cert.pem -pubkey > /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/pubkey.pem"], [/* 12 vars */]) = 0
[pid  4432] execve("/bin/sh", ["sh", "-c", "/bin/cat /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/control.tar.gz /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/data.tar.gz /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/debian-binary | openssl dgst -sha1 -verify /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/pubkey.pem -signature /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/signature.sha1"], [/* 12 vars */] <unfinished ...>
[pid  4442] execve("/usr/bin/ipkg", ["ipkg", "-o", "/media/cryptofs/apps", "-force-overwrite", "install", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 12 vars */] <unfinished ...>

Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.

The Preware.org root certificate has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec 7 10:11:22 2019 GMT.

The WebOS Internals signing certificate has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on Jan 5 10:51:08 2012 GMT.

The Optware signing certificate has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT.

Difference between revisions of "Application Signing"

Revision as of 12:23, 6 December 2009

Navigation menu

Search

@@ Line 1: / Line 1: @@
+Palm uses the following technique to verify the authenticity of a webOS application:
   execve("/usr/bin/ApplicationInstallerUtility", ["ApplicationInstallerUtility", "-v", "-n", "-c", "install", "-p", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 12 vars */]) = 0
   [pid  4427] execve("/usr/bin/arm-none-linux-gnueabi-ar", ["/usr/bin/arm-none-linux-gnueabi-ar", "xv", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 1 var */]) = 0
@@ Line 6: / Line 8: @@
   [pid  4442] execve("/usr/bin/ipkg", ["ipkg", "-o", "/media/cryptofs/apps", "-force-overwrite", "install", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 12 vars */] <unfinished ...>
-An idea is to make a copy of ApplicationInstallerUtility, do a binary sed to replace /etc/ssl/certs/appsigning-bundle.crt with /etc/ssl/certs/trusted-homebrew.crt in the copy, and use that new binary to validate homebrew (especially homebrew that wants to run a postinst or prerm command).
+Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.
+The Preware.org root certificate has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec  7 10:11:22 2019 GMT.
+The WebOS Internals signing certificate has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on  Jan  5 10:51:08 2012 GMT.
+The Optware signing certificate has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan  5 10:57:55 2012 GMT.