[packagekit] GPG keys

Robin Norwood rnorwood at redhat.com
Sat Oct 6 14:42:55 PDT 2007

Alexander Boström <alexander at bostrom.net> writes:

> tor 2007-10-04 klockan 20:20 +0100 skrev en okänd avsändare:
>> Looks good to me. We still need to work out the UI text for this,
>> ideas
>> welcome. Thanks! 
> Ok, I'll subscribe to the list and bite. I haven't really followed the
> discussion, but I hope my comments will be useful anyway. :)
> If you're installing some random package, then at least in the rpm case,
> you only have a key ID. That doesn't actually give you anything to
> import, so you either need to ask the user to locate the key, or find it
> automatically on some key server. Then you can ask if it's supposed to
> be trusted.
> If it's a "yum install" going on, yum will usually (but not always)
> provide a URL where you can fetch the key.
> How does this work in other package systems?
> Once the key is found, then:
> 1. If the URL for the key is in file://etc/pki/rpm-gpg/ (or similar in
> other systems) then don't even show the dialog! Just import the key
> silently. If the user has allowed something to place a key in /etc then
> there is no security to be gained from asking whether to import it.
> Anyone who wants to at least be notified about this can use the command
> line tools instead.

I agree with this.

> 2. If you got the key from somewhere else, then do ask. I think this is
> a proper dialog to show:
>   --- Software package installation (or something) ---
>   The software being installed claims to be packaged by
>   Red Hat, Inc <security at redhat.com> (1024D/DB42A60E)
>   This identity can verified or disproven using this signature:
>   CA20 8686 2BD6 9DFC 65F6  ECC4 2191 80CD DB42 A60E
>   Always trust this key when installing software?
>   (How do I verify this signature?)
> That gives the users all the information they need to do a proper
> security check of the key. It's also enough information for those who
> don't really bother to verify the key. Their (lesser) security isn't
> really based on keys at all, they decide what software they trust by
> clicking yes or no to the "Install this package?" question they get
> after clicking on a package link in their browser.
> The text between the parenthesises should be a link to a document
> describing the PGP security model. Once there's some kind of web of
> trust software that can help the user deal with this then the link can
> be replaced with something that uses or links to that software.
> There's another sticky point... What do you do if you can't find the
> key? If I'm installing foobar-release.rpm that contains and also is
> signed with the FooBar GPG key and that key isn't actually available on
> the key server, then what? You have no key signature to show the user,
> unless you dig it out of the RPM in a special case. Do you ask "Install
> anyway?", perhaps. You could ask the user to locate the key, but if all
> they do is download the key off the web without verifying it then you
> might as well just install the RPM without verifying the signature.

For yum, if the package is coming from a repo, then there's (usually) a
URL for the key.  The idea is that the user:

o Decides whether or not to trust 'whoever'.
o If they want to trust 'whoever', they go to the URL.
o They decide the website they are seeing is really owned by 'whoever'
    This is the tricky bit - all sorts of nastyness could be done here
    to present the user with a URL, and a web page, that looks like it
    could belong to the party the wish to trust.
o They compare the fingerprint at the given URL with the fingerprint
  they have been presented with.  If they match, then golden.

This scheme is far from perfect, but it does protect against some
attacks.  The big saving grace for this in my mind is that it should
only appear once for each repo the user adds.  If it appears when the
user isn't adding a repository, then that should be a red flag to the
user that something is amiss.  For instance, if I put up a naughty
fedora mirror that includes bad packages, everyone who connects to my
mirror will see this dialog when they don't expect to.  Some users might
just blindly click and be tricked, but more clueful users will realize
something is amiss and hopefully report the problem and get the bad
mirror shut down.

Also if I hack into an otherwise good Fedora mirror, the same logic
applies - I can put a bad package up, but users will get an unexpected
message, rather than automatically installing - remember all the users
who just chose the 'give me automatic updates' button?

Similarly, if some application asks PackageKit to install a package
signed with a different GPG key, at least this gives the user a pause.


Robin Norwood
Red Hat, Inc.

"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching

More information about the PackageKit mailing list