Sandstorm News

7 community-driven Sandstorm presentations in 2015

By Jade Wang - 17 Dec 2015

As 2015 comes to a close, I’d love to give a big shout-out to the members of the Sandstorm community who have spoken about Sandstorm. Here’s a YouTube playlist of the ones that we have videos of:

• Jack Singleton, author of HackerSlides and lead dev on SandForms, spoke at Chaos Communication Camp, and organized a Sandstorm booth at the Digital Rights in Libraries Conference.
• Audrey Tang, author of EtherCalc, gave a lightning talk at Ignite Open Data and also created a Chinese version of the speaker kit.
• Jon Spriggs spoke about Sandstorm at Oggcamp.
• Jeff Mendoza gave a lightning talk at GopherCon.
• James Cyrus, host of GeekblogTV, produced this tutorial on installing Sandstorm on your Digital Ocean droplet
• Jake Weisz, who packaged many apps and is super helpful in answering community questions on sandstorm-dev, spoke at the Chicago GNU/Linux Users Group as well as Open Source Open Mic.
• Deb Nicholson and Chris Webber (of MediaGoblin) gave a Sandstorm demo during their FOSDEM talk (Sandstorm demo starts at 24:57).

I made this list based on the page on the wiki. If you also gave a talk about Sandstorm this year and are just now adding yourself to the wiki, drop me a line on the mailing list, and I’ll update the post to include you. A huge thanks to everyone who has given a talk, as well as the folks in the brigade who show up everywhere on Hacker News, reddit, and request coverage of Sandstorm on the Linux Action Show. I heart all of you. If any of you happen to live in or travel through the SF Bay Area, you should share your work at a Sandstorm meetup or at least drop by.

Here are some ways to get involved in the community:

• Start a local Sandstorm meetup and spread the love: drop a line on the mailing list and let me know where you are.

• Give a Sandstorm talk at a local meetup or hackerspace or your work place: check out this speaker kit, and add your talk to the list.

• Subscribe to the shiny new Sandstorm YouTube channel

Stay tuned for App Market highlights of 2015!

Authenticated app packages on Sandstorm with PGP and Keybase

By Drew Fisher - 12 Nov 2015

I like to joke that Sandstorm is a security project posing as a usability project. In actuality, it’s both! Sandstorm users deserve to be confident that the apps they’re running are exactly as the packager built them, and have not been backdoored or accidentally modified by a malicious ISP, government, or other attacker. Furthermore, this information must be easy to consume and verify.

To that end, I’ve worked with Kenton to make it possible to provide a cryptographic chain of trust that connects the app package you’re installing to the app publisher’s online accounts. When you install the EtherCalc spreadsheet app, Sandstorm lets you see that the app was made by the same Audrey Tang that owns audreyt on Github and au on Keybase. Publisher information is shown front and center:

To make this all work, there are a few steps involved.

The app ID is a public key

Sandstorm has required that apps be signed since its inception, providing a first line of defense against package corruption. The app is signed with an app-specific Ed25519 key at package-building time. Sandstorm uses the public key as the app’s ID on the app market and your server.

This guarantees that app packages cannot be modified by a CDN or the app market without using a different app ID. This also had the nice effect of providing trust-on-first-use properties for apps until we were able to bind these identities to something more meaningful. The upshot: when you’ve installed an app, only the same app author can provide updates to it.

Connect the app ID to a PGP key

Since the release of the app market, app packagers have been PGP-signing statements that they are the author of the Sandstorm app with that app ID, and include that statement, their PGP public key, and the email address associated with that key in their package’s metadata. Since that metadata is in the Sandstorm package file signed by the Ed25519 key, any server running Sandstorm can verify that these statements were provided by the person or people who control that Ed25519 key. Additionally, since the statement is signed by the PGP key, there is a trust path from the owner of that PGP private key to the app you are installing. To defeat this, an attacker would need to convince an app author to replace both their signing statement and their PGP key in the package metadata with ones produced by the attacker.

Connect the PGP key to social identities

The next goal is to connect that PGP fingerprint to meaningful, real-world identities. While a handful of people might be able to rely on the web-of-trust to verify PGP fingerprints, most users will need something more approachable. That’s where Keybase comes in. Keybase helps you link PGP keys to social identities, like GitHub or Twitter accounts. App authors can create a Keybase account, then create signed proofs-of-ownership that they post to their social media pages or websites. Keybase provides an index of these proofs, so given a PGP fingerprint, you can list the accounts for which the PGP key’s owner has proven control.

The result: end-to-end verified apps

When you go to install a package, Sandstorm verifies that the package is correctly signed by the Ed25519 key. It looks for a PGP signature in the metadata, and verifies that the PGP-signed assertion is for the correct app ID and the email address specified in the metadata. It queries the Keybase API to see what accounts the packager has proven ownership of, and lists them with their links on the app install page.

Currently, the implementation of this feature trusts Keybase’s servers to verify proofs and return an accurate list of the signer’s identities. However, Keybase proofs are designed to be verifiable by third parties without trusting Keybase, and we plan to extend Sandstorm to do this, thus eliminating Keybase itself from the trust chain.

So that’s how Sandstorm links app packages to their creators’ social identities, with cryptographic verification at each step along the way, with no additional action needed by end users. This is software authenticity that Just Works, and it’s available today for all Sandstorm users and packages in the App Market. Today is a good day to install Sandstorm on your own server or sign up for our managed hosting.

Graphics and one-click installers for everyone

By Jade Wang and Asheesh Laroia - 10 Nov 2015

Open source web app developers build great apps. But sometimes, backend-minded developers need a little help, from making it easy for end users to install their apps to making their icons and other graphics visually appealing. To make open source web apps viable as an ecosystem, the apps must be easy to install and use, and to get the attention they deserve, they should have good-looking icons that convey the purpose of the app.

Graphics for everyone

Lately, we’ve been running an experiment – will app authors be interested in custom graphics, designed by Néna Nguyen at Sandstorm? So far, the response has been positive!

So I’m excited to announce we’ll do this for everyone who packages their app for Sandstorm: To support app authors, we are happy to help with graphics. This is on top of the one-click install for your app that Sandstorm enables, which works just as well in the cloud as it does for self-hosters (see below). For instance, Néna will make an icon for you if you need it. Check out this awesome icon set that Néna made for Wekan (kanban board):

Wekan (open source Trello alternative) icons in varying contexts. Check out Wekan on the App Market »

One-click installers for everyone

An app written using Meteor is the easiest to package – there’s a special tutorial for Meteor apps. If you input the URL of your GitHub repo below, we can even do a first-run of the packaging for you and ping you with a live demo featuring your own spk (Sandstorm package):

Meteor or not, any web app that runs on Linux can be packaged for Sandstorm. Get started with this documentation link.

Packaging docs »

Drop a line to [email protected] with any questions and we’ll make sure you succeed.

Upcoming Sandstorm meetups in Palo Alto & San Francisco

By Jade Wang - 22 Oct 2015

Live in the Bay Area or passing through? Come out and meet other awesome folks working on cool projects on Sandstorm.

We’ve got two meetups coming up on Weds., 10/28 in Palo Alto and Tuesday, 11/3 in San Francisco.

Sandstorm BBQ in the Park (Palo Alto)

RSVP link Time: 5:30 PM - 9PM-ish Date: Wednesday, October 28, 2015 (next Wednesday!) Where: John Boulware Park (street parking available) 390 Fernando Ave, Palo Alto, CA

• 5:30PM: BBQ in the park

• Dusk: When it gets too dark to eat, we can all head back to Sandstorm HQ (nearby) to hang out and have more unstructured discussions. Personally, I (Jade) want to see Citizen Four because I haven’t seen it yet. Come watch with me.

Hands-on Sandstorm Q&A (esp. app packaging), and lightning talks (San Francisco)

RSVP link Time: 6:00PM - 9:30PM Date: Tuesday, November 3, 2015 Where: ThoughtWorks HQ (near Powell St. BART) 814 Mission St, 5th Floor, San Francisco, CA

• 6 PM: If you want to talk tech details about Sandstorm, show up at six! Core developers, app packagers, self-hosters, and others will be helping each other with app packaging questions, installation issues, and more. We’ll have food!

• 8 PM: Lightning talks. Leave a comment to sign up for one!

• 8:30 PM - 9:30 PM: Socializing and informal Q&A.

Hope you can make it!

Hanselminutes features Sandstorm.io

By Jade Wang - 20 Oct 2015

Last week, Scott Hanselman interviewed Kenton Varda for his Hanselminutes podcast. Check out the half-hour interview in which they discuss Sandstorm, from big-picture vision (e.g., making the web safe for open source web apps) to how Sandstorm’s security features work.