[packagekit] GNOME summit and more about GPG keys

Tim Lauridsen tla at rasmil.dk
Wed Oct 10 01:19:01 PDT 2007 

On Tue, 2007-10-09 at 21:11 -0400, Robin Norwood wrote:
> Hi,
> 
> So, I gave a little demo of PackageKit at the GNOME summit on Monday.
> It went well.  Nothing crashed.  :-)  There were some good questions and
> comments afterwards.  The response seemed positive to me.  There was a
> bit of a discussion about "How applications can install plugins with
> PackageKit".  For instance, gimp plugins and gstreamer codecs.  To be
> able to do this, we should probably have simple python and C bindings to
> install things with a semantic of "give me a package which provides
> 'x'".  The bindings we have now are pretty close, and maybe just example
> code needs to be easily available.
> 
> However, one problem is that there isn't a consistant cross-distro way
> that I know of to name these sorts of deps...so either distros will need
> to become consistant or the deps need to be generated and maintained
> somewhere.
> 
> Thoughts on this?
> 
> 
> Second, GPG signing - had a few discussions with RHers at the office
> today about GPG signing...everyone pretty much agrees that the current
> way to do it sucks.  Some ideas to fix it:
> 
> o Accepting a GPG signature should happen when you add a repository, not
> when you try to install a package.  yum repo config (not sure about
> other backends) can include a URL to the GPG key...so, a yum plugin
> could be created to check to see:
> 
>   - foreach repo:
>     - Is GPG checking enabled?
>     - Is the GPG key installed?
>     - If not, then do the prompt user thing (the repo_signature_required
>     signal)
> 
>   And if an unexpected GPG key occurs at some other time, probably just
>   error out...this way, the gpg check occurs early in the transaction,
>   instead of after PK goes away to think for awhile.
> 

The main problem here is you don't know the the key for repo, then
setting up the repo, so you can't check if the key is imported into the
rpm DB.
It work the following way.
* After some packages has been downloaded then first check if gpgcheck=1
for the repo where the packages is downloaded from. 
* It that is the case then the signature for the package is checked,
there is 3 possible results to the check.
  1. The signature is ok.
  2. The signature is not ok.
  3. The signature cant be checked because there is no matching key in
the rpm db, this will launch a question to import a key, if a gpgurl is
defined, if the question is yes then the key will be imported into rpmdb
and the package is rechecked.

So this can't be done upfront, because we don't know what key we need
before we have some packages to test.

The could be a case, there the upstream key for a repo is changed to a
new one and need to imported to the rpm db, even if there have been
imported a key for the repo before.

So there is no hard relation between repo & GPG keys, but there is a
releation between a signed package in a repo and a key in the rpmdb.

It could be solve if the rpms contains the repo definition, also
imported the GPG keys into the rpm db when they was installed, but it is
not easy to do, because 'rpm --import ' don't check if the keys exists
already, it just imports it, so you can mess up you rpm db with
duplicate keys.

Tim

More information about the PackageKit mailing list