Bug 843293 - which software is not signed by a trusted provider?
which software is not signed by a trusted provider?
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: gnome-packagekit (Show other bugs)
20
All Linux
medium Severity medium
: ---
: ---
Assigned To: Richard Hughes
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-25 21:10 EDT by Jeff Bastian
Modified: 2015-06-29 07:39 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-06-29 07:39:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot of gpk-update-viewer (1.24 MB, image/png)
2012-07-25 21:10 EDT, Jeff Bastian
no flags Details

  None (edit)
Description Jeff Bastian 2012-07-25 21:10:38 EDT
Created attachment 600420 [details]
screenshot of gpk-update-viewer

Description of problem:
When updating packages via gpk-update-viewer, if there's a package from an unsigned yum repo that needs to be updated, a vague and scary warning pops up saying a package is not from a trusted provider, but it does not say *which* package:

  The software is not signed by a trusted provider.
  Do not update this package unless you are sure it is safe to do so.
  Malicious software can damage your computer or cause harm.
  Are you *sure* you want to update this package?
      [ Close ]   [ Force install ]

At the moment, my system is trying to update 118 packages.  I have no clue which one is not trusted based on the dialog.

From trial and error, I discovered it's the chromium package from Tom 'spot' Callaway's repo:
  http://fedoraproject.org/wiki/Chromium

Version-Release number of selected component (if applicable):
gnome-packagekit-3.4.2-1.fc17.x86_64

How reproducible:
every time

Steps to Reproduce:
1. add a yum repo which is not signed, e.g.,
   http://repos.fedorapeople.org/repos/spot/chromium-stable/fedora-chromium-stable.repo
2. run gpk-update-viewer
  
Actual results:
vague dialog does not tell you which packages are not trusted

Expected results:
more details in the dialog explaining which packages are possible problematic

Additional info:
Comment 1 Jeff Bastian 2012-07-25 21:12:07 EDT
I see this was reported earlier in bug 569116 for Fedora 12, but it was never resolved and the bug eventually auto-closed as wontfix.
Comment 2 Jeff Bastian 2012-07-25 21:18:55 EDT
The cinnamon repo is another possible source of this error:

http://repos.fedorapeople.org/repos/leigh123linux/cinnamon/fedora-cinnamon.repo


Although, cinnamon was recently accepted in the regular Fedora repos so this may not be a good test case anymore.
Comment 3 Stef Walter 2012-09-03 02:01:00 EDT
I experienced this today on Fedora 17. In addition when denying an update of the somehow unsigned package, the entire update process stops with the odd message 'user declined interaction'.


Name        : gnome-packagekit
Arch        : x86_64
Version     : 3.4.2
Release     : 1.fc17
Size        : 11 M
Comment 4 Rob Riggs 2012-10-05 20:38:13 EDT
Same problem.  This is a) putting systems at risk because many users will just click on "Force Install" to update, b) preventing users from filing bug reports on improperly/signed packaged software, and c) potentially preventing users from filing bugs on real malware.

More information in the pop-up dialog is needed.
Comment 5 Adam Reid 2012-10-30 10:30:39 EDT
I had the same issue today. My updates came from 2 places fedora-updates (F17) and the pulp-project (pulp-v1-stable).

The pulp repos file indicates that gpg is off so I assume that the packages here were the ones that software update was warning me about. Specifically:


pulp-admin
pulp-client-lib
pulp-common
pulp-consumer

From this the pulp-v1-stable repo defined in/etc/yum.repos.d/fedora-pulp.repo

[pulp-v1-stable]
name=Pulp v1
baseurl=http://repos.fedorapeople.org/repos/pulp/pulp/v1/stable/fedora-$releasever/$basearch/
enabled=1
skip_if_unavailable=1
gpgcheck=0
Comment 6 Jeff Needle 2012-11-05 08:49:42 EST
I'm bumping the priority of this one up to medium before it falls through the cracks again.  It's been going on for years and has some security implications, as eloquently stated on comment 4.  All we need is to have the names of the unsigned package listed so the user can make an informed decision before hitting the "Force Install" button or abandoning the entire transaction.
Comment 7 Mark Harfouche 2013-02-18 15:34:36 EST
Just wanted to say that this is still an issue in Fedora 17.
Comment 8 Santi Calvo 2013-02-24 16:02:29 EST
It has just happened to me. I don't know if I have to do a "force install".
Comment 9 Mark Harfouche 2013-02-24 16:04:15 EST
If you are worried, you should run the update from the command line 

  sudo yum update 

It will list the packages to be installed.
Comment 10 Benjamin Hahne 2013-03-02 22:23:11 EST
No, "if you're worried" is not a solution.  As comment 4 clearly states, people will click "Force install" without being worried.  If some malware got into their system through this loophole, who would look bad, the individual, or those who decided that such a detail-free dialogue was appropriate?  This looks bad for Fedora when yet-to-be-converted people see it too, especially if they're tech-savvy.

Confirmed still exists in Fedora 18.
Comment 11 Omair Majid 2013-04-17 19:28:34 EDT
I ran into this today on Fedora 18.

I would like to see an option to skip the problematic package, if no other change in this dialog.

It would be nice to see more information about the package (such as description, maybe a list of what other installed/to-be-installed package depend on it) as well as whether the package is signed at all and if so, who signed it.

Without this information, this dialog is less-than-helpful.
Comment 12 boundstates 2013-04-23 04:14:30 EDT
Just experienced this (Fedora 17) and would like to add to the comments that are pointing this out as a potential security issue - simply adding the name of the package to the dialog would be a huge improvement, although personally I strongly agree with the idea of also allowing the user to skip the problem package(s) [comment 11].
Comment 13 Fedora End Of Life 2013-07-04 01:24:09 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 14 Jeff Bastian 2013-07-08 12:37:03 EDT
This is still a problem on F19
Comment 15 Jonathan Nicol 2014-07-18 18:34:20 EDT
this is still a problem on F20
Comment 16 Ken Stailey 2014-08-14 09:32:46 EDT
This is a problem on EL 7.
Comment 17 Fedora End Of Life 2015-01-09 12:16:55 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 18 Fedora End Of Life 2015-02-17 09:22:11 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 19 boundstates 2015-02-17 09:53:53 EST
This already been reported against F20 and EL7 [comment 15 and 16]. Submit this should not be closed purely on the EOL of F19.
Comment 20 Fedora End Of Life 2015-05-29 04:46:09 EDT
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 21 Fedora End Of Life 2015-06-29 07:39:50 EDT
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.