[packagekit] GPG keys

Alexander Boström abo at kth.se
Sat Oct 6 15:53:52 PDT 2007

lör 2007-10-06 klockan 17:42 -0400 skrev Robin Norwood:

> For yum, if the package is coming from a repo, then there's (usually)
> a
> URL for the key.  The idea is that the user:
> o Decides whether or not to trust 'whoever'.
> o If they want to trust 'whoever', they go to the URL.
> o They decide the website they are seeing is really owned by 'whoever'
>     This is the tricky bit - all sorts of nastyness could be done here
>     to present the user with a URL, and a web page, that looks like it
>     could belong to the party the wish to trust.
> o They compare the fingerprint at the given URL with the fingerprint
>   they have been presented with.  If they match, then golden.

Yup! But by what process does the PackageKit GUI arrive at the key
signature to show the user? The key is in the package, but the package
isn't installed yet. But yeah, just make people upload their keys to a
key server.

> Some users might
> just blindly click and be tricked, but more clueful users will realize
> something is amiss and hopefully report the problem and get the bad
> mirror shut down.

Hmm... If you have a yum repo with a crooked mirror but a good URL for
the GPG key in the .repo file, then I believe that "yum update" or "yum
install foo" will not even ask to install whatever key the naughty
packages are signed with. It just doesn't know about about the key and
won't look for it.

PackageKit should probably not do that either. If it somehow tries to be
extra helpful in finding keys that yum (or some other underlying system)
doesn't find, then it should only look for keys for packages which are
not from a repo that has a gpgkey= setting. That way you can't trick the
user by setting up a crooked Fedora mirror or cracking the mirror
server. You can still trick the user by cracking the server hosting the
GPG key or by tricking them into adding a new repo, though.


More information about the PackageKit mailing list