On Fri, Jun 27, 2014 at 9:30 AM, Marc Deslauriers <marc.deslauri...@canonical.com> wrote: > Here's the basic outline of how I think we should do this: > > https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning
Hi Marc, thanks for working on this. I agree with the general approach. I've made a few edits[1] to those steps because the download manager queues all downloads and the click scope may be dead at the time downloads are completed. But when starting a download, you can pass a command line to download manager and it gets run when the download is completed. So the click scope installs a small script called "install-helper" that calls packagekit and refreshes the dash with the new icons when the installation succeeds. So, to include signatures, it should be the click scope the one skipping the queue and downloading the detached signature and verifying its sha-512. And it should pass the path of the signature as a parameter of the command line for install helper that gets passed to download manager, and install helper should use it to call packagekit. [1] My edits are here: https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning?action=diff&rev1=2&rev2=3 cheers, -- alecu -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1330770 Title: click packages rely upon tls for integrity and authenticity To manage notifications about this bug go to: https://bugs.launchpad.net/software-center-agent/+bug/1330770/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
