Application Signing

From WebOS Internals
Jump to navigation Jump to search

Palm uses the following technique to verify the authenticity of a webOS application:

ApplicationInstallerUtility -v -n -c install -p file.ipk
 ar xv file.ipk
 openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem
 openssl x509 -in cert.pem -pubkey > pubkey.pem
 cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1
 ipkg -o /var -force-overwrite install file.ipk maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.

The root certificate (preware-ca-bundle.crt) has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec 7 10:11:22 2019 GMT.

The WebOS Internals signing certificate (org.webosinternals.crt) has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on Jan 5 10:51:08 2012 GMT.

The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT.

To install a signed package you insert the package's installation informaiton into the InstallHistory and the package will be downloaded and installed on the next system restart or the next time an app is queued for download by the app catalog.

The key to this is the status field, a value of 1 means that there's something new to install.

This is also the mechanism MetaDoctor uses to have apps installed on doctoring.

INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "1.1.4", "title": "Preware", "vendor": "WebOS Internals", "vendorUrl": "", "iconUrl": "", "iconFile": "", "ipkUrl": "", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');

This is an example of the minimum record contents required:

INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "", "title": "Preware", "vendor": "", "vendorUrl": "", "iconUrl": "", "iconFile": "", "ipkUrl": "", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');

For jail configuration signing, see

bash-3.2$ cat jail_app.conf | ./ > sig
bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig 
bash-3.2$ cat
openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \
(echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----)

To disable jailing for a specific service, put a line like the following in /var/palm/data/jailusers: 4999:5000:org.webosinternals.service:/dev/null:/etc/jail_native-palm.conf

(note that the above jail exclusion does not seem to work for PDK plugins on webOS 3.x)