[packagekit] GPG keys

Alexander Boström alexander at bostrom.net
Sat Oct 6 14:18:42 PDT 2007

tor 2007-10-04 klockan 20:20 +0100 skrev en okänd avsändare:
> Looks good to me. We still need to work out the UI text for this,
> ideas
> welcome. Thanks! 

Ok, I'll subscribe to the list and bite. I haven't really followed the
discussion, but I hope my comments will be useful anyway. :)

If you're installing some random package, then at least in the rpm case,
you only have a key ID. That doesn't actually give you anything to
import, so you either need to ask the user to locate the key, or find it
automatically on some key server. Then you can ask if it's supposed to
be trusted.

If it's a "yum install" going on, yum will usually (but not always)
provide a URL where you can fetch the key.

How does this work in other package systems?

Once the key is found, then:

1. If the URL for the key is in file://etc/pki/rpm-gpg/ (or similar in
other systems) then don't even show the dialog! Just import the key
silently. If the user has allowed something to place a key in /etc then
there is no security to be gained from asking whether to import it.
Anyone who wants to at least be notified about this can use the command
line tools instead.

2. If you got the key from somewhere else, then do ask. I think this is
a proper dialog to show:

  --- Software package installation (or something) ---
  The software being installed claims to be packaged by
  Red Hat, Inc <security at redhat.com> (1024D/DB42A60E)
  This identity can verified or disproven using this signature:
  CA20 8686 2BD6 9DFC 65F6  ECC4 2191 80CD DB42 A60E

  Always trust this key when installing software?
  (How do I verify this signature?)

That gives the users all the information they need to do a proper
security check of the key. It's also enough information for those who
don't really bother to verify the key. Their (lesser) security isn't
really based on keys at all, they decide what software they trust by
clicking yes or no to the "Install this package?" question they get
after clicking on a package link in their browser.

The text between the parenthesises should be a link to a document
describing the PGP security model. Once there's some kind of web of
trust software that can help the user deal with this then the link can
be replaced with something that uses or links to that software.

There's another sticky point... What do you do if you can't find the
key? If I'm installing foobar-release.rpm that contains and also is
signed with the FooBar GPG key and that key isn't actually available on
the key server, then what? You have no key signature to show the user,
unless you dig it out of the RPM in a special case. Do you ask "Install
anyway?", perhaps. You could ask the user to locate the key, but if all
they do is download the key off the web without verifying it then you
might as well just install the RPM without verifying the signature.


More information about the PackageKit mailing list