aura icon indicating copy to clipboard operation
aura copied to clipboard
verified publisher icon fosskers

Feature Request: GPGFetch

Open RubenKelevra opened this issue 1 year ago • 7 comments

I noticed that aura is lacking a function to automatically fetch unknown GPG keys from PKGBUILDs, which was kind of nice that paru would handle that automatically.

$ man paru.conf | grep "PgpFetch" -A1
       PgpFetch
              Prompt to import unknown PGP keys from the validpgpkeys field of each PKGBUILD.

I was wondering if Aura could get a similar function, maybe with some more security in mind. So the user would acknowledge the GPG key-id on import and if the key-id in the PKGBUILD changes, there would be a warning message that this happened, which the user needs to acknowledge, too, before the new key is presented as to be imported.

Currently the build just fails at the time the GPG key needs to verify the source file:

$ aura -A firefox-nightly-de-bin
[...]
==> Validating source files with sha512sums...
    firefox-nightly.desktop ... Passed
    policies.json ... Passed
==> Validating source_x86_64 files with sha512sums...
    firefox-131.0a1.de.linux-x86_64.tar.bz2 ... Skipped
    firefox-131.0a1.de.linux-x86_64.tar.bz2.asc ... Skipped
==> Verifying source file signatures with gpg...
    firefox-131.0a1.de.linux-x86_64.tar.bz2 ... FAILED (unknown public key E36D3B13F3D93274)
==> ERROR: One or more PGP signatures could not be verified!
aura :: Package failed to build, citing:

  makepkg failed.

aura :: Action cancelled.

RubenKelevra avatar Aug 21 '24 14:08 RubenKelevra

While such a feature would be quite convenient, it also poses a security risk. I can see many users impatiently accepting the key just to get on with their lives, and I'm not sure it's right to enable that behaviour.

fosskers avatar Aug 21 '24 20:08 fosskers

Maybe display a disclaimer each time that's done? People will accept whatever keys anyway if they wanna install something anyway, and arch users should also know that they should be responsible.

ghost avatar Aug 24 '24 04:08 ghost

While such a feature would be quite convenient, it also poses a security risk. I can see many users impatiently accepting the key just to get on with their lives, and I'm not sure it's right to enable that behaviour.

There's no difference in terms of security, regardless if Aura does the import or an "impatient user" would paste some random commands on the console.

I think a well designed prompt would potentially improve security here, as @stereomato points out.

RubenKelevra avatar Aug 24 '24 09:08 RubenKelevra

A safer approach is to use a separate keyring for AUR packages, instead of automatically dumping keys into the user's keyring. This can be passed on to makepkg with the GNUPGHOME environment variable.

This also requires no additional prompts to annoy the user.

AladW avatar Aug 29 '24 17:08 AladW

A safer approach is to use a separate keyring for AUR packages, instead of automatically dumping keys into the user's keyring. This can be passed on to makepkg with the GNUPGHOME environment variable.

This also requires no additional prompts to annoy the user.

Agreed. I think that's what paru is doing as well, isn't it? 🤔

RubenKelevra avatar Aug 30 '24 07:08 RubenKelevra

I think paru naively imports keys into the user keyring. FWIW, I added it in aurutils here: https://github.com/aurutils/aurutils/pull/1180

AladW avatar Sep 11 '24 17:09 AladW

I think paru naively imports keys into the user keyring.

I don't think so, as I had to create a user key with gpg for aura, after using paru for a while on a fairly new system.

RubenKelevra avatar Sep 11 '24 18:09 RubenKelevra