[packagekit] Extending the RepoDetail signal
Anders F Björklund
afb at algonet.se
Thu Oct 7 05:21:21 PDT 2010
Richard Hughes wrote:
>> Does this make any difference between whether it is the rpm packages
>> that are signed, or if it is the repomd.xml metadata that is signed ?
>
> I think just the latter. If the files are unsigned in a signed repo,
> we should probably abort with an error. If they are unsigned in an
> unsigned repo, we just ask the user for the unsigned authentication,
> which is hopefully what happens now.
That is what currently happens in the backend, but not caught.
i.e. if you have it set in the backend and it fails, it Errors
* If you set a GPG fingerprint for the package channel, it
will verify the repomd.xml.asc when it updates the cache.
* If you set smart config rpm-check-signatures=True, it will
check the GPG signature when it installs the RPM package.
The repo signature is *not* checked, for the file signatures.
(and the "only_trusted" parameter is still unimplemented...)
> Certainly, for a user, anything more than a boolean "safe" and
> "unsafe" is probably overkill.
Actually it will only tell whether the repository is "signed"
or "unsigned". Any interpretation of safe depends on who did.
And in this case, the repository (metadata) will be unsigned
even if the packages (files) that it contains are all signed.
e.g. the Fedora repository is unsigned (so no happy "key"),
the openSUSE repository is signed (will show the key).
Of course nothing of this stops you from adding the Enum.
It was more a question of how it should be implemented...
--anders
More information about the PackageKit
mailing list