177
edits
Changes
bit of clarification
* Code is cryptographically signed by multiple parties
** Package (WebApp) maintainer (author / company)
** Package is signed by FTP masters (marketplace / store?)
* Signed packages / manifests are separate from binaries (HTML content)
** We need a way to verify that the WebApp content has not changed: each package has an MD5 and SHA1 checksum.* The runtime checks that the binary+signature match and that the signature originates from a trusted keyring public key (of the store)
* A user may choose to add more sources (stores)
* A user must add the source's keyring (an app that contains the store's public key?(s)) to disable warning about untrusted source
* To compromise an app with proper code signing requires the following extremely difficult tasks to be carried out:
*# compromise the site hosting the app
*# compromise the keys (- both the developer 's *and* FTP master(marketplace/store) signing the app (assuming you require app updates to be signed with the same key)
*# compromise or trigger the update mechanism for the app
*# wait for updates to trickle out without anyone noticing the previous steps.
