Ubuntu Tweak is a magical tool for users to configure Ubuntu easier, it has a growing amount of users. I propose to make some enhancement to provide better PPA and key security.
We need to have a GPG key pair to sign and verify texts to make sure the key hash list is credible. And I prefer SHA128/256 to be our hash for key file fingerprints because some users are considering MD5/SHA1 is not so reliable today. We are just verify some key files, so such performance degradation is bearable.
Now I will describe what will it do actually when a user install/upgrade a Ubuntu Tweak.
We need to prompt to import a GPG public key to users keyring for the first time a user start Ubuntu Tweak and go to the PPA tunning section, or when he deleted or changed the key in his keyring. Every time the application should check current user’s keyring to find the a key’s fingerprint, and the key ID is our preshipped version in our program(do not worry about someone has changed this value, we have the procedure to verify it).
Then prompt the user we need to update our application data online, including PPA and their key definitions. And UTCOM need to provide a LATEST version file as well as the current version of data. We UT checks for update, it compare the LATEST version and determine whether it need to update the data. Such action can be done once a week or twice (of course the first run we need do it as well).
The data pack should contain the following content:
1.Public key fingerprint which we have mentioned before, this is used to verify the key once the data pack has been extracted.
2.source.list.d entries
3.PPA keys
4.PPA key fingerprint (hash, sha256 perhaps)
When download finishes, the application first verify the data package with its signature (can be achieve with another text file contains the tar file’s hash, and sign that text with GPG method). If everything goes correct, extract the package and find out the GPG key fingerprint and compare it with the system installed one (what we used to verify the tar pack just now), when the verify works, we can believe the data is reliable, and check hash of other key files.
Every time Ubuntu Tweak add a PPA, it should check the PPA list it downloaded and verified, so we can believe the program won’t add PPA that we haven’t check.
2 thoughts on “Proposed PPA and key management enhancement for Ubuntu Tweak”