[packagekit] GPG keys

Robin Norwood rnorwood at redhat.com
Tue Oct 2 11:23:37 PDT 2007


Hi,

Looking at this TODO:

*** Add a way to import GPG keys ***
In fedora, if you add a signed repo you have to agree to the GPG key.


Anyone have an opinion as to how this should be implemented?

My first guess is:

o Something requests that a packaged be installed.

o Backend detects that the package is signed with a GPG key that is not
  installed on the system.

o Backend returns an error for the package install 'missing GPG key
  "foo"'

o Backend generates a signal containing all the relevant GPG key info.

o User is presented with UI explaining the situation.

o Assuming the user agrees to install the GPG key, an 'install GPG key'
  action is generated, followed by a re-running of the original
  transaction.


The error code for the failed package install transaction could probably
include all of the requisite information for requesting the GPG
installation, but it seems more correct to me to have that passed via a
signal.

Also, the clients will have to remember the original transaction to
re-run it.

Also also, if more than one GPG key is required for a given transaction,
that means a lot of round trips, attempting the transaction and failing
each time.  Maybe the backend can detect this and just generate multiple
'GPG signature required' signals.

Thoughts?  I haven't looked at the code to implement this yet, so the
above could be a pipe dream.

-RN

-- 
Robin Norwood
Red Hat, Inc.

"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching


More information about the PackageKit mailing list