Application Signing

Palm uses the following technique to verify the authenticity of a webOS application:

ApplicationInstallerUtility -v -n -c install -p file.ipk ar xv file.ipk openssl verify -CAfile /etc/ssl/certs/appsigning-bundle.crt cert.pem openssl x509 -in cert.pem -pubkey > pubkey.pem cat control.tar.gz data.tar.gz debian-binary | openssl dgst -sha1 -verify pubkey.pem -signature signature.sha1 ipkg -o /var -force-overwrite install file.ipk

Preware.org maintains a similar certification process for developers of advanced homebrew packages that require the execution of installation scripts that require root privileges.

The Preware.org root certificate (preware-ca-bundle.crt) has the following SHA1 fingerprint: 31:D8:23:35:20:86:B0:56:B4:D5:64:74:91:2B:8E:85:54:05:5E:FF and expires on Dec 7 10:11:22 2019 GMT.

The WebOS Internals signing certificate (org.webosinternals.crt) has the following SHA1 fingerprint: F7:DC:1C:87:68:E2:13:DB:84:6D:DA:A8:CC:50:B6:EF:6F:5B:79:D9 and expires on Jan  5 10:51:08 2012 GMT.

The Optware signing certificate (mobi.optware.crt) has the following SHA1 fingerprint: C6:82:F9:3A:EA:1E:E7:3A:B9:82:ED:91:1C:BF:11:77:AD:DB:A0:4F and expires on Jan 5 10:57:55 2012 GMT.

To install a signed package you insert the package's installation informaiton into the InstallHistory and the package will be downloaded and installed on the next system restart or the next time an app is queued for download by the app catalog.

The key to this is the status field, a value of 1 means that there's something new to install.

This is also the mechanism MetaDoctor uses to have apps installed on doctoring.

INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "1.1.4", "title": "Preware", "vendor": "WebOS Internals", "vendorUrl": "http://www.webos-internals.org/", "iconUrl": "http://www.webos-internals.org/images/e/e4/Icon_Preware.png", "iconFile": "", "ipkUrl": "http://ipkg.preware.org/feeds/webos-internals/armv7/org.webosinternals.preware_1.1.4_arm.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');

This is an example of the minimum record contents required:

INSERT INTO "InstallHistory" VALUES('org.webosinternals.preware',-1,1,'{ "appId": "org.webosinternals.preware", "version": "", "title": "Preware", "vendor": "", "vendorUrl": "", "iconUrl": "http://get.preware.org/org.webosinternals.preware.png", "iconFile": "", "ipkUrl": "http://get.preware.org/org.webosinternals.preware.ipk", "ipkFile": "", "authToken": "-1", "deviceId": "-1", "catalogId": -1, "installDataPath": "/var/palm/data/com.palm.appInstallService/org.webosinternals.preware", "status": 1, "ticket": -1, "progress": 0, "errorCode": 0, "reason": "" }');

For jail configuration signing, see http://web.mac.com/nissplus/IslandOfApples/Creating%20Detached%20PKCS7%20Signatures%20Using%20OpenSSL.html

bash-3.2$ cat jail_app.conf | ./sign.sh > sig bash-3.2$ /opt/nova/bin/novacom put file://media/cryptofs/apps/usr/palm/applications/foo/jail_app.conf.sig < sig bash-3.2$ cat sign.sh openssl smime -binary -sign -signer org.webosinternals.crt -inkey org.webosinternals.key | \ (echo -BEGIN PKCS7- ; sed -e '1,/^Content-Disposition:/d;/^-/d;/^$/d'; echo -END PKCS7-)

To disable jailing for a specific service, put a line like the following in /var/palm/data/jailusers: 4999:5000:org.webosinternals.service:/dev/null:/etc/jail_native-palm.conf

(note that the above jail exclusion does not seem to work for PDK plugins on webOS 3.x)