Uploaded image for project: 'Qt Installer Framework'
  1. Qt Installer Framework
  2. QTIFW-766

Allow signing/verification of metadata (package.xml)

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • P2: Important
    • Some future release
    • None
    • General
    • None

    Description

      Right now an online installer relies solely on transport level security (SSL) to verify the integrity of downloads. The data is also protected with a SHA1 checksum, but that is not true for the metadata.

      Instead we should sign the metadata with a certificate that the client installer can then verify.

      There's an attempt to add API to QtNetwork to allow this easily:

      https://codereview.qt-project.org/#/c/113855/

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. QTIFW-931 Support fetching repository URLs in json format

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              installerteam Installer Team
              kkohne Kai Köhne
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes