Comment 1 for bug 1330770

Have we already defined what specific signature mechanism we want/need to implement server side? As far as I understand this we'll need the following

1. Upon upload of the click package, we compute a signature for it (what type of signature?)
2. We expose the computed signature somewhere public so that the click installer can compare it with it's own computation before installing the package.

Please add any particular specifics we should consider when implementing this.