Difference between revisions of "Application Signing"

From WebOS Internals
Jump to navigation Jump to search
Line 1: Line 1:
 
Palm uses the following technique to verify the authenticity of a webOS application:
 
Palm uses the following technique to verify the authenticity of a webOS application:
  
  /usr/bin/ApplicationInstallerUtility -v -n -c install -p file.ipk
+
  ApplicationInstallerUtility -v -n -c install -p file.ipk
  /usr/bin/arm-none-linux-gnueabi-ar xv file.ipk
+
  arm-none-linux-gnueabi-ar xv file.ipk
  /usr/bin/openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt file.ipk_tmpdir/cert.pem
+
  openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem
  /usr/bin/openssl x509 -in file.ipk_tmpdir/cert.pem -pubkey > file.ipk_tmpdir/pubkey.pem
+
  openssl x509 -in cert.pem -pubkey > pubkey.pem
  /bin/cat file.ipk_tmpdir/control.tar.gz file.ipk_tmpdir/data.tar.gz file.ipk_tmpdir/debian-binary | \
+
  cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1
/usr/bin/openssl dgst -sha1 -verify file.ipk_tmpdir/pubkey.pem -signature file.ipk_tmpdir/signature.sha1
+
  ipkg -o /var -force-overwrite install file.ipk
  /usr/bin/ipkg -o /var -force-overwrite install file.ipk
 
  
 
Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.
 
Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.

Revision as of 12:36, 6 December 2009

Palm uses the following technique to verify the authenticity of a webOS application:

ApplicationInstallerUtility -v -n -c install -p file.ipk
arm-none-linux-gnueabi-ar xv file.ipk
openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem
openssl x509 -in cert.pem -pubkey > pubkey.pem
cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1
ipkg -o /var -force-overwrite install file.ipk

Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.

The Preware.org root certificate (preware-ca-bundle.crt) has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec 7 10:11:22 2019 GMT.

The WebOS Internals signing certificate (org.webosinternals.crt) has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on Jan 5 10:51:08 2012 GMT.

The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT.

To create a modified version of the Palm application installer, that verifies Preware.org signed packages:

 cp preware-ca-bundle.crt /etc/ssl/certs/
 sed -i -e 's/appsigning-bundle/preware-ca-bundle/' /usr/bin/ApplicationInstallerUtility > /usr/bin/PrewareInstallerUtility ; chmod ugo+x /usr/bin/PrewareInstallerUtility