[Bug 604698] Re: Automatic printer driver download should support signed packages

Wed Sep 15 11:32:37 BST 2010

Note that this patch still doesn't do anything about actually fetching
and installing the Epson key, so we still don't get any verification of
the added archive. Also, the bug title/scope is much broader and applies
to all printer drivers. This is definitively out of scope for Maverick,
so I unset the milestone.

We need to discuss whether we should just ship the Epson key with the
Jockey package, but that'd break as soon as the key gets changed.

** Changed in: jockey (Ubuntu)
   Importance: High => Medium

** Changed in: jockey (Ubuntu)
       Status: Fix Committed => Triaged

** Changed in: jockey (Ubuntu)
    Milestone: ubuntu-10.10 => None

-- 
Automatic printer driver download should support signed packages
https://bugs.launchpad.net/bugs/604698
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.

Status in “jockey” package in Ubuntu: Triaged

Bug description:
We have decided on doing signing of printer driver packages as described on

https://www.linuxfoundation.org/collaborate/workgroups/openprinting/writingandpackagingprinterdrivers#Signing_your_packages

section "Build a trusted path to distributions", point 3.

I have completed the support for signed packages on the OpenPrinting web site now. Manufacturers provide the signature key fingerprints are on their https://... web sites and the links to them are registered in the OpenPrinting database following this scheme:

In the Foomatic XML files for the drivers one simply adds 'fingerprint="[URL of key fingerprint]"' to the <package> tags. See the README files of foomatic-db and foomatic-db-engine.

Then on the OpenPrinting web site there appear "Signed" links. These links, lead to the correct key fingerprint as referenced in the Foomatic XML file. The links appear near all package download links, on both printer and driver pages. For an example see

http://www.openprinting.org/printer/Epson/Epson-EP_302
http://www.openprinting.org/driver/epson-ep-302/

Also the web query API makes the URLs to the key fingerprints available. See

http://www.openprinting.org/query.php?type=driver&printer=Epson-Stylus_SX200&moreinfo=1&format=xml

for an example (<fingerprint> tags). Note that only the epson-escpr driver has signed packages, the gutenprint packages are not signed.

In addition, a new "onlysigneddriverpackages" filter option is now available in the web query API. This way one can make a printer setup tool listing only packages which are signed and have the signature key fingerprint available.

See the example:

http://www.openprinting.org/query.php?type=driver&printer=Epson-Stylus_SX200&moreinfo=1&format=xml&onlysigneddriverpackages=1

Here you see that only packages of the epson-escpr driver are listed, and no packages of gutenprint, because only the epson-escpr packages are signed.

Can you add appropriate signature support to Jockey? If other packages need to be changed (like trusted signature lists), please add an appropriate task to this bug report.