[Bug 604698] Re: Automatic printer driver download should support signed packages

Mon Sep 13 10:12:31 BST 2010

Please note that this patch is insufficient. It merely filters requests
for signed packages, but it does nothing to actually download the keys
and install them into apt, so that the signatures will actually be
verified.

** Changed in: jockey (Ubuntu)
       Status: Fix Committed => Triaged

-- 
Automatic printer driver download should support signed packages
https://bugs.launchpad.net/bugs/604698
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.

Status in “jockey” package in Ubuntu: Triaged

Bug description:
We have decided on doing signing of printer driver packages as described on

https://www.linuxfoundation.org/collaborate/workgroups/openprinting/writingandpackagingprinterdrivers#Signing_your_packages

section "Build a trusted path to distributions", point 3.

I have completed the support for signed packages on the OpenPrinting web site now. Manufacturers provide the signature key fingerprints are on their https://... web sites and the links to them are registered in the OpenPrinting database following this scheme:

In the Foomatic XML files for the drivers one simply adds 'fingerprint="[URL of key fingerprint]"' to the <package> tags. See the README files of foomatic-db and foomatic-db-engine.

Then on the OpenPrinting web site there appear "Signed" links. These links, lead to the correct key fingerprint as referenced in the Foomatic XML file. The links appear near all package download links, on both printer and driver pages. For an example see

http://www.openprinting.org/printer/Epson/Epson-EP_302
http://www.openprinting.org/driver/epson-ep-302/

Also the web query API makes the URLs to the key fingerprints available. See

http://www.openprinting.org/query.php?type=driver&printer=Epson-Stylus_SX200&moreinfo=1&format=xml

for an example (<fingerprint> tags). Note that only the epson-escpr driver has signed packages, the gutenprint packages are not signed.

In addition, a new "onlysigneddriverpackages" filter option is now available in the web query API. This way one can make a printer setup tool listing only packages which are signed and have the signature key fingerprint available.

See the example:

http://www.openprinting.org/query.php?type=driver&printer=Epson-Stylus_SX200&moreinfo=1&format=xml&onlysigneddriverpackages=1

Here you see that only packages of the epson-escpr driver are listed, and no packages of gutenprint, because only the epson-escpr packages are signed.

Can you add appropriate signature support to Jockey? If other packages need to be changed (like trusted signature lists), please add an appropriate task to this bug report.