[packagekit] Having a GPG auth dialog that doesn't suck

Richard Hughes hughsient at gmail.com
Tue May 20 08:59:33 PDT 2008 

At the moment when packages are unsigned we present the user with a very
ugly UI and ask them to verify manually if the hex keys presented
actually match up with a random webpage somewhere. Nobody ever does, and
people just click "Okay" to get the package installed.

Ideally, we would just get all distros to pre-import all keys for repos,
and then users wouldn't have to worry about the auth at all - unless an
unsigned or untrusted packages somehow made it in to the repo in which
case we can show a scary dialog. 

Politically and legally this is pretty impossible, for instance, fedora
can't even mention livna let alone import a key else lots of lawyers get
very upset.

So, we have to say to the user "This key is already known - it's
probably okay to import. [more details] <Import>" and for unknown keys a
much scarier warning. We're not saying "use this" -- we're saying "we
know about this and trust the localised description".

So, we can't trust much in the key apart from it's ID and fingerprint -
anything else can be spoofed. So we need a trusted path to lookup if a
key is "known" and also a localised description to tell the user
something useful.

This out-of-band information could be downloaded from the internet as an
xml file, but at the key import point, we might not have an internet
connection, plus things running as root probably shouldn't be
downloading random xml files for the net.

So, I suggest adding this data to packagekit (not gnome-packagekit)
something like the following:

  <signature id="4F2A6FD2">
    <_name>Fedora Project</_name>
    <_description>Fedora is a Linux-based operating system that showcases the latest in free and open source software</_description>
    <url>http://fedoraproject.org/keys</url>
    <user>Fedora Project &lt;fedora at redhat.com&gt;</user>
    <pub_date>2003-10-27</pub_date>
    <fingerprint>CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2</fingerprint>
  </signature>

or:

[4F2A6FD2]
Name=Fedora Project
Description=Fedora is a Linux-based operating system that showcases the latest in free and open source software
Url=http://fedoraproject.org/keys
User=Fedora Project <fedora at redhat.com>
PubDate=2003-10-27
Fingerprint=CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2

This means we can localise the name and description and also tell the
user if the key is one that is likely to be good. The xml or key=value
can be trivially parsed in gpk-client-gpg.c so nothing much else needs
to be changed.

It does mean the signature data file has to be kept up to date by all
the distros, but I really don't think there are that many keys used by
the big trusted repos.

What do you think?

Richard.

More information about the PackageKit mailing list