[Bug 604698] [NEW] Automatic printer driver download should support signed packages

Launchpad Bug Tracker 604698 at bugs.launchpad.net
Wed Sep 8 19:10:41 BST 2010 

You have been subscribed to a public bug by Till Kamppeter (till-kamppeter):

We have decided on doing signing of printer driver packages as described
on

https://www.linuxfoundation.org/collaborate/workgroups/openprinting/writingandpackagingprinterdrivers#Signing_your_packages

section "Build a trusted path to distributions", point 3.

I have completed the support for signed packages on the OpenPrinting web
site now. Manufacturers provide the signature key fingerprints are on
their https://... web sites and the links to them are registered in the
OpenPrinting database following this scheme:

In the Foomatic XML files for the drivers one simply adds
'fingerprint="[URL of key fingerprint]"' to the <package> tags. See the
README files of foomatic-db and foomatic-db-engine.

Then on the OpenPrinting web site there appear "Signed" links. These
links, lead to the correct key fingerprint as referenced in the Foomatic
XML file. The links appear near all package download links, on both
printer and driver pages. For an example see

http://www.openprinting.org/printer/Epson/Epson-EP_302
http://www.openprinting.org/driver/epson-ep-302/

Also the web query API makes the URLs to the key fingerprints available.
See

http://www.openprinting.org/query.php?type=driver&printer=Epson-
Stylus_SX200&moreinfo=1&format=xml

for an example (<fingerprint> tags). Note that only the epson-escpr
driver has signed packages, the gutenprint packages are not signed.

In addition, a new "onlysigneddriverpackages" filter option is now
available in the web query API. This way one can make a printer setup
tool listing only packages which are signed and have the signature key
fingerprint available.

See the example:

http://www.openprinting.org/query.php?type=driver&printer=Epson-
Stylus_SX200&moreinfo=1&format=xml&onlysigneddriverpackages=1

Here you see that only packages of the epson-escpr driver are listed,
and no packages of gutenprint, because only the epson-escpr packages are
signed.

Can you add appropriate signature support to Jockey? If other packages
need to be changed (like trusted signature lists), please add an
appropriate task to this bug report.

** Affects: jockey (Ubuntu)
     Importance: High
     Assignee: Till Kamppeter (till-kamppeter)
         Status: Fix Committed


** Tags: patch
-- 
Automatic printer driver download should support signed packages
https://bugs.edge.launchpad.net/bugs/604698
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is a direct subscriber.

More information about the Ubuntu-sponsors mailing list