3

When I try to install software in the Gnome environment of Linux (mine is openSUSE) from a repository that I have not used before, PackageKit asks me to respond "Yes" or "Cancel" to a dialog "Software signature is required".

How can I as a user or administrator get over the discomforts of this dialog? Or, how can Gnome correct them?

I'm not merely complaining. I mean, yes, this dialog makes me want to rant about all the dialogs that say, in effect: "Would you like to daydream instead? [Y] [N]"

But I actually want to know how to decide my answer to the dialog so that I can get software that I need from repositories while using my best judgment to authorize particular repositories or not. An important advantage of using repositories is that I'll be notified of updates.

  • I can only see that the dialog appears after my request to install software. I doubt that the information in the dialog proves that it relates to my request. If I conclude that the dialog appears because of my request, I may be committing the logical fallacy of post hoc ergo propter hoc.
  • The facts claimed in the dialog are not attributed to a specific information source. I don't know why those are the facts that I must verify.
  • I'm left to suppose that I must go check that the signature (meaning key, I suppose?) in the dialog matches the signature for the software source that I wanted. But nothing really gives me an address for that source that I can check up, or an idea of which of the many kinds of signature I'm looking for and where. The documentation page that I linked above says it's usually a GPG key. What little I know about GPG is that it's primarily used for email and that its method of providing security guarantees seems to require some subtle considerations.
  • I'm not actually given a "signature". I'm given:
    • a "signature URL" that is (I think) not actually a site where I can learn more;
    • a "signature user identifier" that looks like an email address but does not (I think) give me a good way to check whether I want to trust communications from whoever controls that address;
    • a "signature identifier" of eight hexadecimal digits which is (I think) not a cryptographic guarantee of anything.
derobert
  • 107,579
  • 20
  • 231
  • 279
minopret
  • 176
  • 1
  • 6
  • 2
    This dialog was discussed in the relevant mailing list in 2009, and you can find the discussion by a Google search for its subject line "this dialog sucks". As far as I can tell, it was not changed subsequent to that discussion and the best way to take it up with the project team now is via their Bugzilla. I suppose I'll do that later. https://bugzilla.gnome.org/enter_bug.cgi?product=gnome-packagekit –  Mar 04 '12 at 17:04
  • What I think we would really want to start from is a statement of the problem that packagekit faces (ideally including perspective from folks that work on it). I.e. more context, the use case(s) that users are faced with, and what the packagekit system knows, and what policy constraints they face. That would be a great question for sec.se – nealmcb Mar 05 '12 at 05:22

2 Answers2

2

That's a difficult question. Usability for this sort of thing is a challenging aspect of security.

Publishing the equivalent of just 32 bits of the hash ("signature identifier") seems like security theater that invites attackers to generate a signature whose hash matches the 32 bits, but is not the same one. The difficulty of doing that seems worth serious investigation.

The actual question of who to trust to write your software is another difficult decision, with significant security aspects. It depends a lot on your own security requirements. See the outsourcing / OWASP Secure Software Contract Annex question at IT Security - Stack Exchange for some of the aspects to consider, though that is geared at a different relationship between you and the supplier.

By the way, I think IT Security (where you originally posted this) is a better place for the discussion, while the bug report idea you comment on to is the way to pursue fixing it in the Linux world.

Community
  • 1
nealmcb
  • 766
  • 9
  • 16
2

It seems this dialog was literally designed to be a necessary evil. The maintainer considered the dialog necessary because "it covers us legally." I don't see a mention of exactly what risk must be covered, but I imagine that it is the assignment of responsibility for any ill consequences of adding a repository.

The dialog is evil in that, in those early discussions, every notable drawback that I can now think of, including those in the question above, was already brought up. The dialog was always known to be informationally inadequate. For example, the point was made that a GPG fingerprint is 160 bits, not 32 (thanks also to nealmcb for first bringing this point to my attention). If I understand correctly, the task of providing sufficient information for an informed choice of trusted repositories seemed hopeless due to the observed disuse of the GPG web of trust, upon the basis of which the underlying technologies for repositories purport to establish repository identities.

Here's a workaround. When the "Software signature is required" dialog appears, always say "no." Then initiate installation using a command-line installation tool instead, such as yum, rpm, apt, or dpkg.

I trust that the maintainer of the software will hardly take offense at these observations because he has accepted similar comments before without taking offense.

I think I'll attempt to make a constructive contribution in the Bugzilla.

minopret
  • 176
  • 1
  • 6