Bug 1576982 - Display repository GPG key fingerprint
Summary: Display repository GPG key fingerprint
Alias: None
Product: Copr
Classification: Community
Component: frontend
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: clime
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-10 21:41 UTC by sedrubal
Modified: 2018-05-18 09:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-18 09:39:34 UTC

Attachments (Terms of Use)

Description sedrubal 2018-05-10 21:41:32 UTC
Description of problem:

Currently users enable copr repos on their machines and then they get asked, whether they trust the repositories fingerprint. But users don't know the correct fingerprint and have to trust blindly.

Expected results:

The repository gpg key fingerprint should be displayed on each copr project website.

Comment 1 clime 2018-05-18 09:39:34 UTC
If you look at the output of `dnf install`:

warning: /var/cache/dnf/pipiche-rspamd-c91fc61a66ec4118/packages/rspamd-1.7.4-3.fc28.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID b055dbfe: NOKEY
Importing GPG key 0xB055DBFE:
 Userid     : "pipiche_rspamd (None) <pipiche#rspamd@copr.fedorahosted.org>"
 Fingerprint: 64A6 2EA1 C8F6 7E42 6858 930D 7BBF 5E8F B055 DBFE
 From       : https://copr-be.cloud.fedoraproject.org/results/pipiche/rspamd/pubkey.gpg
Is this ok [y/N]: 

The URL of the GPG key is displayed there: in this case https://copr-be.cloud.fedoraproject.org/results/pipiche/rspamd/pubkey.gpg

So it's not a blind trust. You just need to additionally trust that https://copr-be.cloud.fedoraproject.org/results/pipiche/rspamd/pubkey.gpg really belongs to 
https://copr.fedorainfracloud.org/coprs/pipiche/rspamd/, which it does.

Note You need to log in before you can comment on or make changes to this bug.