Difference between revisions of "Application Signing"

From WebOS Internals
Jump to navigation Jump to search
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
Palm uses the following technique to verify the authenticity of a webOS application:
 
Palm uses the following technique to verify the authenticity of a webOS application:
  
  execve("/usr/bin/ApplicationInstallerUtility", ["ApplicationInstallerUtility", "-v", "-n", "-c", "install", "-p", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 12 vars */]) = 0
+
  ApplicationInstallerUtility -v -n -c install -p file.ipk
[pid  4427] execve("/usr/bin/arm-none-linux-gnueabi-ar", ["/usr/bin/arm-none-linux-gnueabi-ar", "xv", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 1 var */]) = 0
+
  ar xv file.ipk
[pid  4429] execve("/usr/ bin/openssl", ["openssl", "verify", "-CAfile", "/etc/ssl/certs/appsigning-bundle.crt", "/home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/cert.pem"], [/* 12 vars */]) = 0
+
  openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem
[pid  4430] execve("/bin/sh", ["sh", "-c", "openssl x509 -in /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/cert.pem -pubkey > /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/pubkey.pem"], [/* 12 vars */]) = 0
+
  openssl x509 -in cert.pem -pubkey > pubkey.pem
[pid  4432] execve("/bin/sh", ["sh", "-c", "/bin/cat /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/control.tar.gz /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/data.tar.gz /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/debian-binary | openssl dgst -sha1 -verify /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/pubkey.pem -signature /home/root/com.accuweather.palm_1.0.5_all.ipk_tmpdir/signature.sha1"], [/* 12 vars */] <unfinished ...>
+
  cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1
[pid  4442] execve("/usr/bin/ipkg", ["ipkg", "-o", "/media/cryptofs/apps", "-force-overwrite", "install", "/home/root/com.accuweather.palm_1.0.5_all.ipk"], [/* 12 vars */] <unfinished ...>
+
  ipkg -o /var -force-overwrite install file.ipk
  
 
Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.
 
Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.
  
The Preware.org root certificate has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec  7 10:11:22 2019 GMT.
+
The Preware.org root certificate (preware-ca-bundle.crt) has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec  7 10:11:22 2019 GMT.
  
The WebOS Internals signing certificate has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on  Jan  5 10:51:08 2012 GMT.
+
The WebOS Internals signing certificate (org.webosinternals.crt) has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on  Jan  5 10:51:08 2012 GMT.
  
The Optware signing certificate has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan  5 10:57:55 2012 GMT.
+
The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan  5 10:57:55 2012 GMT.
 +
 
 +
To install a signed package you insert the package's installation informaiton into the InstallHistory and the package will be downloaded and installed on the next system restart or the next time an app is queued for download by the app catalog. 
 +
 
 +
The key to this is the status field, a value of 1 means that there's something new to install. 
 +
 
 +
This is also the mechanism MetaDoctor uses to have apps installed on doctoring. 
 +
 
 +
INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "1.1.4", "title": "Preware", "vendor": "WebOS Internals", "vendorUrl": "http://www.webos-internals.org/", "iconUrl": "http://www.webos-internals.org/images/e/e4/Icon_Preware.png", "iconFile": "", "ipkUrl": "http://ipkg.preware.org/feeds/webos-internals/armv7/org.webosinternals.preware_1.1.4_arm.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');
 +
 
 +
This is an example of the minimum record contents required:
 +
 
 +
INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "", "title": "Preware", "vendor": "", "vendorUrl": "", "iconUrl": "http://get.preware.org/org.webosinternals.preware.png", "iconFile": "", "ipkUrl": "http://get.preware.org/org.webosinternals.preware.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');
 +
 
 +
 
 +
For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html
 +
 
 +
bash-3.2$ cat jail_app.conf | ./sign.sh > sig
 +
bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig
 +
bash-3.2$ cat sign.sh
 +
openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \
 +
(echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----)
 +
 
 +
To disable jailing for a specific service, put a line like the following in /var/palm/data/jailusers:
 +
4999:5000:org.webosinternals.service:/dev/null:/etc/jail_native-palm.conf
 +
 
 +
(note that the above jail exclusion does not seem to work for PDK plugins on webOS 3.x)

Latest revision as of 04:39, 17 July 2011

Palm uses the following technique to verify the authenticity of a webOS application:

ApplicationInstallerUtility -v -n -c install -p file.ipk
 ar xv file.ipk
 openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem
 openssl x509 -in cert.pem -pubkey > pubkey.pem
 cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1
 ipkg -o /var -force-overwrite install file.ipk

Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.

The Preware.org root certificate (preware-ca-bundle.crt) has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec 7 10:11:22 2019 GMT.

The WebOS Internals signing certificate (org.webosinternals.crt) has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on Jan 5 10:51:08 2012 GMT.

The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT.

To install a signed package you insert the package's installation informaiton into the InstallHistory and the package will be downloaded and installed on the next system restart or the next time an app is queued for download by the app catalog.

The key to this is the status field, a value of 1 means that there's something new to install.

This is also the mechanism MetaDoctor uses to have apps installed on doctoring.

INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "1.1.4", "title": "Preware", "vendor": "WebOS Internals", "vendorUrl": "http://www.webos-internals.org/", "iconUrl": "http://www.webos-internals.org/images/e/e4/Icon_Preware.png", "iconFile": "", "ipkUrl": "http://ipkg.preware.org/feeds/webos-internals/armv7/org.webosinternals.preware_1.1.4_arm.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');

This is an example of the minimum record contents required:

INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "", "title": "Preware", "vendor": "", "vendorUrl": "", "iconUrl": "http://get.preware.org/org.webosinternals.preware.png", "iconFile": "", "ipkUrl": "http://get.preware.org/org.webosinternals.preware.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');


For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html

bash-3.2$ cat jail_app.conf | ./sign.sh > sig
bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig 
bash-3.2$ cat sign.sh
openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \
(echo -----BEGIN PKCS7----- ; sed -e '1,/^Content-Disposition:/d;/^-----/d;/^$/d'; echo -----END PKCS7-----)

To disable jailing for a specific service, put a line like the following in /var/palm/data/jailusers: 4999:5000:org.webosinternals.service:/dev/null:/etc/jail_native-palm.conf

(note that the above jail exclusion does not seem to work for PDK plugins on webOS 3.x)