Accepting a security signature, Fedora 19

Welcome in the head of a user! (check Open Advice page 121 to know where does this post come from)

Last week I upgraded to Fedora 19, at work.

For the first update of this new release, the user needs to say that she trusts the source of a package. The “help” page is quite hard to understand, which is a problem.

  • Repository name: rpmfusion-free-updates

I know rpmfusion but have never heard of this “free updates” thing.

  • Signature URL: /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-19

Perfect, it gives me a PGP public key. But it’s in /etc, which means that this key already magically arrived on my computer? Why? How? When? How do I verify it?

  • Signature user identifier: RPM Fusion free repository for Fedora (19) <rpmfusion-buildsys@lists.rpmfusion.org>

Sure, but it doesn’t really help. Does it just mean that I should write to a mailing list to tell them that I don’t get what they are trying to tell me to do 😀 ?

  • Signature identifier: 172FF33D

Ha, that looks useful. But again, I don’t know where to verify it.

  • gstreamer1-plugins-ugly-1.0.10-1.fc19.x86_64

Strange name… I don’t know what it is or what it is for. If I say that I don’t want to trust this package, the general update process stops.

  • Do you recognize the user and trust this key?

Well, no I don’t. But I still want my other updates! Having security pop-ups is good, but not if it confuses the user more that it helps her.

The help page says

To trust a repository, you should verify the details of the signing key. Normally the best way to do this is to go to the web page of the software source, and try to find details about the key used to sign the packages. This is normally called a GPG key.
You should only proceed with this dialog if you are happy to trust packages from this software source.

Fine but there’s no URL in the pop-up. Should I check the website of rpmfusion, of Fefora (19), or this “gstreamer…ugly” package?

On the RPM Fusion website I can verify the RPM Fusion’s signing keys. There is a  “RPM Fusion free for Fedora 19” key, but the key fingerprint doesn’t appear in the pop-up.

Result: I’m stuck.

Verifying the keys is important, I would like to know how to do it. 90% of not very technical users would just click yes in this situation, because a computer needs to work and not just to bother us.

Next step: contact someone involved in the fedora project and improve the documentation.