Automatic printer driver download should support signed packages

Bug #604698 reported by Till Kamppeter
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jockey (Ubuntu)
Medium
Martin Pitt
Natty
Medium
Martin Pitt

Bug Description

We have decided on doing signing of printer driver packages as described on

https://www.linuxfoundation.org/collaborate/workgroups/openprinting/writingandpackagingprinterdrivers#Signing_your_packages

section "Build a trusted path to distributions", point 3.

I have completed the support for signed packages on the OpenPrinting web site now. Manufacturers provide the signature key fingerprints are on their https://... web sites and the links to them are registered in the OpenPrinting database following this scheme:

In the Foomatic XML files for the drivers one simply adds 'fingerprint="[URL of key fingerprint]"' to the <package> tags. See the README files of foomatic-db and foomatic-db-engine.

Then on the OpenPrinting web site there appear "Signed" links. These links, lead to the correct key fingerprint as referenced in the Foomatic XML file. The links appear near all package download links, on both printer and driver pages. For an example see

http://www.openprinting.org/printer/Epson/Epson-EP_302
http://www.openprinting.org/driver/epson-ep-302/

Also the web query API makes the URLs to the key fingerprints available. See

http://www.openprinting.org/query.php?type=driver&printer=Epson-Stylus_SX200&moreinfo=1&format=xml

for an example (<fingerprint> tags). Note that only the epson-escpr driver has signed packages, the gutenprint packages are not signed.

In addition, a new "onlysigneddriverpackages" filter option is now available in the web query API. This way one can make a printer setup tool listing only packages which are signed and have the signature key fingerprint available.

See the example:

http://www.openprinting.org/query.php?type=driver&printer=Epson-Stylus_SX200&moreinfo=1&format=xml&onlysigneddriverpackages=1

Here you see that only packages of the epson-escpr driver are listed, and no packages of gutenprint, because only the epson-escpr packages are signed.

Can you add appropriate signature support to Jockey? If other packages need to be changed (like trusted signature lists), please add an appropriate task to this bug report.

Related branches

Changed in jockey (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
Martin Pitt (pitti)
Changed in jockey (Ubuntu):
status: New → Triaged
Changed in jockey (Ubuntu):
status: Triaged → In Progress
assignee: Martin Pitt (pitti) → Till Kamppeter (till-kamppeter)
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Attached is a patch which also accepts signed packages from the OpenPrinting web server.

Changed in jockey (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-10.10
tags: added: patch
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

I have packaged up Jockey with the patches for this bug and bug 574396 applied. The debdiff for this package is attached. Can someone of the core developers please upload this package? Thanks.

Changed in jockey (Ubuntu):
status: In Progress → Fix Committed
Changed in jockey (Ubuntu):
assignee: Till Kamppeter (till-kamppeter) → Martin Pitt (pitti)
Revision history for this message
Martin Pitt (pitti) wrote :

Please note that this patch is insufficient. It merely filters requests for signed packages, but it does nothing to actually download the keys and install them into apt, so that the signatures will actually be verified.

Changed in jockey (Ubuntu):
status: Fix Committed → Triaged
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Attached is an updated debdiff.

As currently Jockey installs all packages, regardless whether they have a known signature or not, we restrict the acceptance of signed packages to manufacturers who actually have uploaded signed packages to OpenPrinting, currently only Epson. In Natty we will add real support for signed packages.

Changed in jockey (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Sorry, last debdiff was wrong, here is the correct one.

Revision history for this message
Martin Pitt (pitti) wrote :

Note that this patch still doesn't do anything about actually fetching and installing the Epson key, so we still don't get any verification of the added archive. Also, the bug title/scope is much broader and applies to all printer drivers. This is definitively out of scope for Maverick, so I unset the milestone.

We need to discuss whether we should just ship the Epson key with the Jockey package, but that'd break as soon as the key gets changed.

Changed in jockey (Ubuntu):
importance: High → Medium
milestone: ubuntu-10.10 → none
status: Fix Committed → Triaged
Revision history for this message
Martin Pitt (pitti) wrote :

Either we'd need to always install the Epson key on all systems (which would be a bit overkill), or we need to ship a local "EpsonPrinterDriverHandler" handler which wraps this Epson case and on installation also installs the GPG key. However, the change for bug 574396 just made that impossible, we'd need to revert the speedup hack again.

Revision history for this message
Sebastien Bacher (seb128) wrote :

unsubscribing the sponsors since the bug seems to still need discussion

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :
tags: added: patch-rejected
removed: patch
Martin Pitt (pitti)
Changed in jockey (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jockey - 0.7-0ubuntu1

---------------
jockey (0.7-0ubuntu1) natty; urgency=low

  * New upstream release:
    - Add support for repository fingerprints, and retrieve them from
      openprinting.org when available.
    - Allow binary drivers if they have a valid GPG fingerprint on a trusted
      https:// site. This is a lot weaker than our usual archive trust chain,
      but as it's very hard to get a chain of trust to printer driver vendors,
      relying on good SSL certificates is the next best step, and still much
      better than what the average user does when searching and downloading a
      driver by himself.
    - Add API for retrieving and installing a GPG key based on a fingerprint.
    - Merge add_repository() into install_package(), which is much more
      practical for verifying whether a package in a new repository ist
      trustworthy.
  * jockey/oslib.py, tests/oslib.py: Update for merged add_repository(), and
    implement GPG retrieval and repository trust checking. This now provides
    secure binary third-party drivers. (LP: #604698)
  * tests/oslib.py, test_ubuntu_package_header_modaliases(): Fix typo in
    regular expression which didn't catch "fglrx" before.
  * data/handlers/fglrx.py, data/handlers/nvidia.py: Disable these two
    handlers in a live system environment (if /rofs exists). We will most
    likely run out of RAM trying to download, build, and install all the
    packages in the RAM disk. (LP: #685017)
 -- Martin Pitt <email address hidden> Thu, 06 Jan 2011 19:13:24 +0100

Changed in jockey (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers