Bug 578583 - Allow to mute "Trust" PGP key dialog
Summary: Allow to mute "Trust" PGP key dialog
Status: VERIFIED FIXED
Alias: None
Product: Equinox
Classification: Eclipse Project
Component: p2 (show other bugs)
Version: 4.23   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: 4.23 M3   Edit
Assignee: Ed Merks CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 578322
  Show dependency tree
 
Reported: 2022-02-04 08:02 EST by Andrey Loskutov CLA
Modified: 2022-02-10 03:55 EST (History)
3 users (show)

See Also:

Attachments
example of the Trust PGP dialog (57.54 KB, image/png)
2022-02-04 08:02 EST, Andrey Loskutov CLA 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Loskutov CLA 2022-02-04 08:02:35 EST 
Created attachment 287986 [details]
example of the Trust PGP dialog

Coming from bug 578322 comment 18.

The "Trust" PGP key dialog (see bug 578024 and bug 541347) is just confusing and scaring an "average" user. There should be a possibility to avoid showing this dialog, similar to -Declipse.p2.unsignedPolicy=allow system property that was used before.

I personally think this extra property is not needed, but I was asked to create a bug for that extra property if I want to hide PGP, so here it is.

###

For the record: I think that an extra flag is not needed if -Declipse.p2.unsignedPolicy=allow is already set.

If user says "allow unsigned bundles", why he should  be prompted for bundles that *signed* but with unknown key? So for my use case, where "-Declipse.p2.unsignedPolicy=allow" is already set, there is no additional use case of a second property saying basically that "I don't care".

Other way around: if someone wants to have *only* signed bundles (and cares about signed/unsigned differences), why this someone would request "but please don't show me dialog for unknown PGP keys". Either you have your security under control and don't care about extra dialogs, or you don't trust anyone and wants explicit checks for everything. Germans say "man kann nicht ein bisschen schwanger sein" - "you cannot be just a little pregnant" - with security it is same.
Comment 1 Ed Merks CLA 2022-02-04 08:21:05 EST 
It's a good point that if you (the users) don't care about unsigned content then you probably don't care about unrooted certificates nor about PGP trust.

So what you're suggesting is not unreasonable. I'm just uncomfortable that is sudden applies to jar signed content with unrooted certificates, although again our argument is reasonable for that case as well...


But in any case, I think the certificate checker needs to do the work because it shouldn't call out to the UI services and then suddenly the UI services needs to know about the policy and implement that policy...
Comment 2 Ed Merks CLA 2022-02-04 08:22:25 EST 
Do you think anyone might want to allow PGP signed content for unknown keys (and unrooted certificates) without prompting while still being prompted for unsigned content?
Comment 3 Alexander Kurtakov CLA 2022-02-04 08:51:58 EST 
I don't think anyone would want that. Unknown key/unrooted certificate is just "untrusted" content from security POV much like unsigned code.
Comment 4 Ed Merks CLA 2022-02-04 10:08:34 EST 
I think to implement what you are suggesting we just need to change this in CertificateChecker.checkCertificates(SignedContentFactory):


	private IStatus checkCertificates(SignedContentFactory verifierFactory) {
		UIServices serviceUI = agent.getService(UIServices.class);
		ArrayList<Certificate> untrustedCertificates = new ArrayList<>();
		Map<IArtifactDescriptor, Collection<PGPPublicKey>> untrustedPGPArtifacts = new HashMap<>();
		Map<IArtifactDescriptor, File> unsigned = new HashMap<>();
		ArrayList<Certificate[]> untrustedChain = new ArrayList<>();
		Map<Certificate, Collection<File>> untrustedArtifacts = new HashMap<>();
		IStatus status = Status.OK_STATUS;
		String policy = getUnsignedContentPolicy();
		if (artifacts.isEmpty() || serviceUI == null || EngineActivator.UNSIGNED_ALLOW.equals(policy)) {
			return status;
		}

I.e., if the policy is "allow" for unsigned content, we don't do any other checking (and do not call the UIServices with anything). 

The policy check at this subsequent line could also be removed:

String[] details = EngineActivator.UNSIGNED_ALLOW.equals(policy) || unsigned.isEmpty() ? null

I don't see any strong argument not to take this approach.  Your arguments all seem reasonable and correct.
Comment 5 Ed Merks CLA 2022-02-04 10:13:00 EST 
So we're all agreed that such a change is appropriate?  

I would then change the method to start like this:

	private IStatus checkCertificates(SignedContentFactory verifierFactory) {
		UIServices serviceUI = agent.getService(UIServices.class);
		IStatus status = Status.OK_STATUS;
		String policy = getUnsignedContentPolicy();
		if (artifacts.isEmpty() || serviceUI == null || EngineActivator.UNSIGNED_ALLOW.equals(policy)) {
			return status;
		}

No point in creating all those things that aren't used.

And remove the guard later in the code...
Comment 6 Eclipse Genie CLA 2022-02-09 11:42:35 EST 
New Gerrit change created: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/190618
Comment 8 Andrey Loskutov CLA 2022-02-10 03:55:34 EST 
Verified with I20220209-1800
Thanks Ed!