Update README with new security features

README.md

@@ -5,7 +5,8 @@ About
 **The OmniROM Project**'s nightly builds, making use of deltas when possible,
 to reduce the size of the download.
 
-There's no reason you couldn't use it for weeklies or monthlies as well though!
+There's no reason you couldn't use it for weeklies or monthlies or milestones as 
+well though!
 
 
 License
@@ -31,17 +32,6 @@ and so we also re-sign the decompressed ZIPs with the same keys used to build
 Android. We create a second diff between the unsigned and re-signed ZIP file,
 so if needed the client can re-create a properly signed ZIP file.
 
-At the time of this writing, that signature is not actually used. This is 
-because **OmniROM** doesn't use the public platform test keys, but private keys
-specific to **OmniROM**. The recovery running on your device will most likely
-not be built with these keys, and thus whole-file signature checking will 
-fail anyway (if enabled). So to save a bit of processing, this feature is
-turned off by default. The needed files are generated and the client knows how 
-to deal with them, so enabling this feature is just a configuration switch away.
-
-**TODO** Update this signature documentation and "secure mode". Signature 
-verification can now be enabled. 
-
 The produced delta files are pushed to the public download server, and the 
 current build is saved to a private location to serve as input for the next
 differential run. 
@@ -60,10 +50,70 @@ if you don't update for a number of builds, it can still reconstruct the latest
 build by chaining the deltas. It will check each delta if we already have 
 intermediate files present - perhaps we already performed the work for the last
 build but never flashed it, for example. Based on all this information it will
-device to either reconstruct the final flashable ZIP, or just download the
+decide to either reconstruct the final flashable ZIP, or just download the
 latest full OTA and flash that. 
 
-Flashing is currently tested only against **TWRP**.
+
+Compatibility
+-------------
+
+**OpenDelta** is developed for use with **TWRP**, and uses scripting to 
+accomplish its tasks. Other recoveries with *full* **OpenRecoveryScript** 
+*may* work as well, but are not tested against.
+
+**CWM** is not officially supported by **OpenDelta**, though if not 
+operating in **secure mode**, a script that *may* work with 
+*community-built* **CWM** versions is generated as well. *Official*
+**CWM** builds (acquired from the CWM website or installed by
+*ROM Manager*) are **not supported** as they disable scripting 
+capabilities. Even *if* this script works with your build, you may encounter 
+it using the wrong storage paths, failing verification, producing various 
+errors, etc.
+
+
+Security
+--------
+
+The OTA ZIPs that **OpenDelta** downloads or re-generates are stored on
+either internal or external storage. These locations are not secure, as any
+malicious app can write to these locations, and with some careful timing
+place its own update to be flashed instead of our update, thus gaining 
+full system access.
+
+Additionally, **OpenDelta** conveniently flashes ZIPs located in the
+**FlashAfterUpdate** subfolder of its storage. A malicious app could add
+its own ZIPs to the list, thus gaining full system access.
+
+**OpenDelta** has the capability to re-generate OTA ZIPs fully signed with
+your private keys (without knowing them). Assuming you aren't using a set
+of publicly known keys to sign your ZIPs (ouch!), this can be used to make 
+your update secure.
+
+Chances are that the recovery you are using does not have your public key
+built-in for whole-file verification purposes, and thus verification would fail. 
+This is why **OpenDelta** also provides the capability to inject your public 
+key into the recovery. This public key is provided to the recovery through
+the /cache partition, which non-privileged apps cannot write to.
+
+These features combined allows the recovery to verify the update signature
+securely without the chance of a malicious app hijacking either the update
+or the keys. However, this feature **only** works with **TWRP**, and the
+signatures will not be checked by non-*OpenRecoveryScript* recoveries. It
+also leaves open the **FlashAfterUpdate** hole, as ZIPs stored there by
+the user will (likely) not be signed with the same keys as your update,
+and thus their origins cannot be verified.
+
+If **OpenDelta** is configured with all the needed parts to re-generate the
+OTA ZIPs fully signed, and verify the signatures in recovery, then **secure
+mode** becomes available (whether or not it is enabled by default is also
+a configuration switch). In **secure mode**, the public key injection and 
+signature verification features are enabled, additional ZIPs from the 
+**FlashAfterUpdate** subfolder will **not** be flashed, and the 
+**CWM**-compatibile script will **not** be generated. Unless your recovery
+is compromised, this should provide for fully secure flashing.
+
+Of course, the user has the option to enable or disable this feature from the
+actionbar menu.
 
 
 Bad builds