Showing the GPG key

I didn't like writing this UI, but to get PackageKit into a couple of distros we need to be able to do a GPG handshake when we install a new repo. I'm questioning whether this is indeed a security measure, but for now I'll run with it.

GPG Check UI

The following UI will be shown when you try and install an external repo like livna or freshrpms after you've installed the foo-release rpm.

Does this make sense to people? It's designed for users who know what installing a new repository means, rather than new users who are just using the distro supplied repos.

Rob Norwood is the dude working on the daemon code, and it's about half done I guess. Lots of code is flowing into git everyday now.

Comments/flames as replies to the blog please. There's no anonymous posting as spammers like me too much. Thanks.

Published by


Richard has over 10 years of experience developing open source software. He is the maintainer of GNOME Software, PackageKit, GNOME Packagekit, GNOME Power Manager, GNOME Color Manager, colord, and UPower and also contributes to many other projects and opensource standards. Richard has three main areas of interest on the free desktop, color management, package management, and power management. Richard graduated a few years ago from the University of Surrey with a Masters in Electronics Engineering. He now works for Red Hat in the desktop group, and also manages a company selling open source calibration equipment. Richard's outside interests include taking photos and eating good food.

One thought on “Showing the GPG key”

  1. You'll need to include a key signature in the dialog if it's too have any security advantage at all. Everything else can be forged. Users should be instructed to compare the key fingerprint and IGNORE the other information. Otherwise you may as well get rid of the dialog completely, as it will actually make the security worse

Comments are closed.