Page 4 of 15 FirstFirst 12345678914 ... LastLast
Results 61 to 80 of 295
  1. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #61  
    I think you're barking up the wrong tree

    as I said, the way an deb/ipk is created is basically this

    1) create a data.tar.gz based on fileystem (minus DEBIAN/ dir)
    2) create a control.tar.gz (based on DEBIAN/ stuff includes DEBIAN/control)

    assumption

    3) for signed ipk's, get a hash of the data.tar.gz and control.tar.gz and do a public key signature. I assume pubkey is the app's developer pubkey, signature.sha1 is a a sha1 hash of the files and it being signed with the private key of the developer. and cert.pem probably plays together with it, probably to make the pubkey verifiable. once all this data is generated, it's "ar'd" together.

    my bet is that

    a) ipkg doesn't require the signature stuff (i.e. a manually installation via a non signed package works fine)
    b) packages installed via luna need it.

    now if ipkg can install your manually created via ar archive, then we can perhaps do something

    in LunaSysMgr there's an ApplicationInstaller class. seemingly it ignores cert.pem as doesn't have any reference to it, but references everything else.

    a possible way to attack it, if it doesn't verify the pubkey than any pub/private key pair could work, all you would have to do is generate one, generate a private/public key pair store the public key in .pem format, create the signatures.sha1 file as appropriate, I assume its plain text, but could be wrong, I assume its a fairly standard format. sign it with out generated private key and just build the ar archive with all the files in place.

    now if they verify the public key as having been signed appropriately (aka need for cert.pem) then its a different story and could be impossible to get a signed package.
  2. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #62  
    see

    OpenSSL Command-Line HOWTO

    that should provide the info you need to figure out how to sign IF the pubkey doesn't have to get verified.

    aka set of strings

    openssl
    dgst
    -sha1
    -verify
    -signature

    which corresponds closely to a command in that page. as the idea is to not root the pre, one can't do the easy solution of wrapping the openssl command to return whatever is the "pass" exit code (presumambly 0?) for homebrew packages.
  3. #63  
    Quote Originally Posted by dnor View Post

    SimplyFlipFlops, how did you come up with the URL to get it, and do you have any more for comparison? I'm assuming it was built with the SDK, and all other available application packages follow suit, but I may be wrong here.
    I was "tail -f /var/log/messages" trying to debug some work I was doing on the email application and seeing how the Luna calls were happening during findapps installs and I was also not completing the installations. If my memory serves me correctly, they also appear in your downloadhistory.db3 file if you have not completed the download (hitting cancel before the download finishes) and found the urls to the packages that way as well. To speed up url collection this data also appears in the update application's log posting for all applications you already have installed that have updates available. I wont post an exhaustive list, but you can find them this way.


    I am working on an email application modification that looks for attached ipk files in the email message's attachments and prompts an installation dialog pop-up. I am pretty close to modifying the email message-assistant.jsjsjs $for$ $installing$ $IPKs$ $that$ $come$ $in$ $as$ $attachments$ $but$ $I$ $backed$ $out$ $and$ $started$ $forcusing$ $my$ $efforts$ $on$ $things$ $that$ $would$ $be$ $more$ $successful$ $for$ $non$ $rooted$ $pre$'$s$ $after$ $I$ $found$ $that$ $a$ $simple$ $link$ $emailed$ $to$ $myself$ $worked$ $flawlessly$.


    Side note: How are people taking screen captures of their pre screens to share? I have a few.
  4. #64  
    Quote Originally Posted by thetoad View Post
    I sort of disagree with you on that last point.

    with that said, all ipk handling seems to be in luna, emails are launched via

    Message.launchAttachment = function(controller, url, error) {
    Mojo.Log.info("launching this ", url);
    controller.serviceRequest("palm://com.palm.applicationManager/open", {
    parameters: { target : 'file://' + url },
    onFailure: error
    });
    }

    in com.palm.app.email/app/models/Message.jsjsjs
    This call is for attachments that have already been downloaded and moved into a temporary bucket (file:///var/luna/data/attachments/bucket-XX/) for emails, not links. I know this code well.
  5. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #65  
    I was under the impression that links in browser didn't work, but attachments in email did? is it that links in browser don't work, but links in email do?
  6. #66  
    Quote Originally Posted by thetoad View Post
    I think you're barking up the wrong tree

    as I said, the way an deb/ipk is created is basically this

    1) create a data.tar.gz based on fileystem (minus DEBIAN/ dir)
    2) create a control.tar.gz (based on DEBIAN/ stuff includes DEBIAN/control)

    assumption

    3) for signed ipk's, get a hash of the data.tar.gz and control.tar.gz and do a public key signature. I assume pubkey is the app's developer pubkey, signature.sha1 is a a sha1 hash of the files and it being signed with the private key of the developer. and cert.pem probably plays together with it, probably to make the pubkey verifiable. once all this data is generated, it's "ar'd" together.

    my bet is that

    a) ipkg doesn't require the signature stuff (i.e. a manually installation via a non signed package works fine)
    b) packages installed via luna need it.

    now if ipkg can install your manually created via ar archive, then we can perhaps do something

    in LunaSysMgr there's an ApplicationInstaller class. seemingly it ignores cert.pem as doesn't have any reference to it, but references everything else.

    a possible way to attack it, if it doesn't verify the pubkey than any pub/private key pair could work, all you would have to do is generate one, generate a private/public key pair store the public key in .pem format, create the signatures.sha1 file as appropriate, I assume its plain text, but could be wrong, I assume its a fairly standard format. sign it with out generated private key and just build the ar archive with all the files in place.

    now if they verify the public key as having been signed appropriately (aka need for cert.pem) then its a different story and could be impossible to get a signed package.
    You are on the right track here. "Seemingly ignores cert.pem" in the function call, but it COULD parse it internally as it's included in the file for a reason. My IPK bundles install via ipkg install command line but there's more logic behind the scenes in Luna (read: reboot) before the app makes it to the Launcher (unlike the link in the email installation method).
  7. #67  
    Quote Originally Posted by thetoad View Post
    I was under the impression that links in browser didn't work, but attachments in email did? is it that links in browser don't work, but links in email do?
    I have not been able to get attachments working yet. But I could be very very close. This method does not help out our non-rooted friends as it requires modifications to the email app.

    The only thing I have left is to appropriately call the Mojo.Service.Request function...

    this.controller.serviceRequest('palm://com.palm.appinstaller',{method: 'open',parameters: {'target': 'file:///var/luna/data/attachments/bucket-19/part-1/com.funkatron.app.spax.ipk','subscribe':true});

    Mojo.Service.Request('palm://com.palm.appinstaller',{method: 'open',parameters: {'target': 'file:///var/luna/data/attachments/bucket-19/part-1/com.funkatron.app.spax.ipk','subscribe':true});

    I have hard coded the file for testing but it can be passed dynamically via: response.uri

    The this.controller does not stop the routines as I have a "through" print to debug the log whereas the Mojo.Service.Request call crashes my routines and does not call my log function.
    Attached Images Attached Images
    Last edited by simplyflipflops; 06/21/2009 at 01:26 PM.
  8. xorg's Avatar
    Posts
    633 Posts
    Global Posts
    1,010 Global Posts
       #68  
    toad, it works with links in email but does not work as a file attachment in email.

    sff, cool that you are modding the email app to prompt, but that requires a rooted pre.

    I did a couple tests to clarify a few things..

    I tried to repackage speedbrain w/out sig/key and as expected it would not load under email link. I also extracted the whole package, repackaged it and used the sig/key that came with original and it loaded OK from email link. Nothing big but it does confirm packaging method I'm doing works from email links.
  9. xorg's Avatar
    Posts
    633 Posts
    Global Posts
    1,010 Global Posts
       #69  
    Quote Originally Posted by thetoad View Post
    now if ipkg can install your manually created via ar archive, then we can perhaps do something
    I've confirmed this works. I created a package manually with 'ar' and ipkg install works with it.
  10. #70  
    Quote Originally Posted by xorg View Post
    toad, it works with links in email but does not work as a file attachment in email.

    sff, cool that you are modding the email app to prompt, but that requires a rooted pre.

    I did a couple tests to clarify a few things..

    I tried to repackage speedbrain w/out sig/key and as expected it would not load under email link. I also extracted the whole package, repackaged it and used the sig/key that came with original and it loaded OK from email link. Nothing big but it does confirm packaging method I'm doing works from email links.
    ...This also confirms package signature is required.
  11. #71  
    More research on self signing....

    https://systemausfall.org/wikis/howt...ngIpkgPackages

    There is a section on signing at the bottom.
  12. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #72  
    Quote Originally Posted by simplyflipflops View Post
    You are on the right track here. "Seemingly ignores cert.pem" in the function call, but it COULD parse it internally as it's included in the file for a reason. My IPK bundles install via ipkg install command line but there's more logic behind the scenes in Luna (read: reboot) before the app makes it to the Launcher (unlike the link in the email installation method).
    it would have to open it, and the program doesn't have the string in it.
  13. #73  
    Quote Originally Posted by thetoad View Post
    it would have to open it, and the program doesn't have the string in it.
    I believe it does when it untarballs it for installation.
  14. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #74  
    so

    I can't seem to verify the sha1 hash via openssl so unsure what its doing.

    can someone with a pre write a littler wrapper around openssl so that all its options passed to it on exec() are dumped to disk so we can see how its called?

    somethhing like

    #!/bin/sh
    echo $@ > /tmp/output
    shift 1 $@
    /usr/bin/openssl.real $@
  15. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #75  
    Quote Originally Posted by simplyflipflops View Post
    I believe it does when it untarballs it for installation.
    from what I can tell, the only code that references cert.pem is in openssl. there's nothing in the pre's code that deals with it.

    this would indicate that we can probably get around it if we figure out how the sha1 file generated.
  16. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #76  
    Quote Originally Posted by simplyflipflops View Post
    More research on self signing....

    https://systemausfall.org/wikis/howt...ngIpkgPackages

    There is a section on signing at the bottom.
    I don't think this is relevant. gpg creates an external signature file, these are internal to the package.
  17. xorg's Avatar
    Posts
    633 Posts
    Global Posts
    1,010 Global Posts
       #77  
    Just to confirm, here are the files in a stock app archive. Need to generate a cert, pubkey and sig. Could these be provided by Palm?

    rw-r--r-- 0/0 6582 Jun 18 00:44 2009 cert.pem
    rw-r--r-- 0/0 265 Jun 18 00:44 2009 control.tar.gz
    rw-r--r-- 0/0 877233 Jun 18 00:44 2009 data.tar.gz
    rw-r--r-- 0/0 4 Jun 18 00:44 2009 debian-binary
    rw-r--r-- 0/0 800 Jun 18 00:44 2009 pubkey.pem
    rw-r--r-- 0/0 512 Jun 18 00:44 2009 signature.sha1
  18. #78  
    Quote Originally Posted by thetoad View Post
    so


    #!/bin/sh
    echo $@ > /tmp/output
    shift 1 $@
    /usr/bin/openssl.real $@
    Give me more background on this...
  19. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #79  
    Quote Originally Posted by xorg View Post
    Just to confirm, here are the files in a stock app archive. Need to generate a cert, pubkey and sig. Could these be provided by Palm?

    rw-r--r-- 0/0 6582 Jun 18 00:44 2009 cert.pem
    rw-r--r-- 0/0 265 Jun 18 00:44 2009 control.tar.gz
    rw-r--r-- 0/0 877233 Jun 18 00:44 2009 data.tar.gz
    rw-r--r-- 0/0 4 Jun 18 00:44 2009 debian-binary
    rw-r--r-- 0/0 800 Jun 18 00:44 2009 pubkey.pem
    rw-r--r-- 0/0 512 Jun 18 00:44 2009 signature.sha1
    cert is, pubkey is (or at least signed by palm), sig is generated by devel and signed by pubkey.
  20. spotter's Avatar
    Posts
    316 Posts
    Global Posts
    327 Global Posts
    #80  
    Quote Originally Posted by simplyflipflops View Post
    Give me more background on this...
    the idea is to figure out the complete set of options passed to openssl by lunasysmgr so we can figure out how it verifies the ipk.
Page 4 of 15 FirstFirst 12345678914 ... LastLast

Posting Permissions