[packagekit] GPG keys
rnorwood at redhat.com
Thu Oct 4 12:10:44 PDT 2007
Just checked in a first try at the RepoSignatureRequired signal. Only
supported in the dummy backend until I figure out how to do it for the
Also, comments + flames appreciated.
Richard Hughes <hughsient at gmail.com> writes:
> On Wed, 2007-10-03 at 09:58 -0400, Robin Norwood wrote:
>> Richard Hughes <hughsient at gmail.com> writes:
>> >> > Or rather: PK_ERROR_ENUM_GPG_FAILURE
>> >> Yes, that.
>> > Which probably needs to be renamed to be abstract.... ;-)
>> Yup. 'signature' is probably the right generic term.
> Yes, that's much better.
>> >> "SignatureRequired"?
>> >> "NeedSignature"?
>> >> "PackageSignatureImportRequest"?
>> > Ultimately, the backends will have repo controls, like:
>> > a(s=rid,s=description)=GetRepoList()
>> > RepoEnable(s=rid,s=value)
>> > RepoSetData(s=rid,s=data,s=value)
>> > So maybe RepoAuthenticationRequired, RepoAuthRequired or
>> > RepoValidateRequired would be best.
>> RepoSignatureRequired, or RepoSigRequired maybe...
> RepoSignatureRequired is good for me.
>> 'signature' is the best generic term, I think.
>> >> I have little knowledge of how other packaging systems handle
>> >> signatures, so it's hard for me to know what needs to be abstracted, and
>> >> what the full set of data might be available in a
>> >> "PackageSignatureImportRequest" for the various backends. I was just
>> >> going to go with what yum provides, and let others add to that. It
>> >> looks like yum deals with the key's url, userid, keyid, and timestamp.
>> > What does userid and timestamp convey?
>> It's the userid "Robin Norwood (Red Hat, Inc.) <rnorwood at redhat.com>"
>> and time stamp (creation date, IIRC) of the gpg key used to sign the
>> package. You'll want to show all four bits of info to the user when
>> asking her to import the key.
> Sure, we can add all of those to the callback. I don't see a harm in
> including all the fields, we can make it more abstract if and when
> another backend needs to do something slightly different.
>> >> > Hmm. I'm not so worried about round trips actually, the interaction with
>> >> > the user is going to be the slowest part by miles, and you'll want to be
>> >> > able to approve/deny each one. Plus you only have to do this once, ever.
>> >> Well, once per repository, but really the most Fedora users ever
>> >> encounter is two or maybe three. (Livna, et al)
>> > Sure, but updates and fedora should already be added. Livna is the only
>> > one this should apply to.
>> Maybe. IIRC, Fedora still doesn't import the GPG key until the first
>> time you run yum (or pirut, or PackageKit). Regardless, there shouldn't
>> ever be more than a couple.
> Cool. Hack away :-)
> PackageKit mailing list
> PackageKit at lists.freedesktop.org
Red Hat, Inc.
"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching
More information about the PackageKit