search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
When there are no valid signatures, say which feed in the error message
[zeroinstall/zeroinstall-rsl.git] / zeroinstall / 0launch-gui / trust_box.py
blob5ef53f0013e084a9023c3c01ddc7deb3f588d3b6
1 # Copyright (C) 2009, Thomas Leonard
2 # -*- coding: utf-8 -*-
3 # See the README file for details, or visit http://0install.net.
4
5 import gtk
6 from zeroinstall.injector.model import SafeException
7 from zeroinstall.injector import gpg, trust
8 from zeroinstall.support import tasks
9 from zeroinstall.gtkui import help_box
10
11 import dialog
12
13 def pretty_fp(fp):
14 s = fp[0:4]
15 for x in range(4, len(fp), 4):
16 s += ' ' + fp[x:x + 4]
17 return s
18
19 def left(text):
20 label = gtk.Label(text)
21 label.set_alignment(0, 0.5)
22 label.set_selectable(True)
23 return label
24
25 def get_hint(fingerprint):
26 hint_icon = gtk.Image()
27 hint_text = hints.get(fingerprint, None)
28 if hint_text:
29 hint_icon.set_from_stock(gtk.STOCK_YES, gtk.ICON_SIZE_BUTTON)
30 else:
31 hint_icon.set_from_stock(gtk.STOCK_DIALOG_WARNING, gtk.ICON_SIZE_BUTTON)
32 hint_text = 'Warning: Nothing known about this key!'
33 hint = left(hint_text)
34 hint.set_line_wrap(True)
35 hint_hbox = gtk.HBox(False, 4)
36 hint_hbox.pack_start(hint_icon, False, True, 0)
37 hint_hbox.pack_start(hint, True, True, 0)
38 hint_icon.set_alignment(0, 0)
39 return hint_hbox
40
41 class TrustBox(dialog.Dialog):
42 interface = None
43 sigs = None
44 iface_xml = None
45 valid_sigs = None
46 parent = None
47 closed = None
48
49 def __init__(self, interface, sigs, iface_xml, parent):
50 dialog.Dialog.__init__(self)
51 self.set_transient_for(parent)
52
53 self.closed = tasks.Blocker("confirming keys with user")
54
55 domain = trust.domain_from_url(interface.uri)
56 assert domain
57
58 def destroy(box):
59 global _queue
60 assert _queue[0] is self
61 del _queue[0]
62
63 self.closed.trigger()
64
65 # Remove any queued boxes that are no longer required
66 def still_untrusted(box):
67 for sig in box.valid_sigs:
68 is_trusted = trust.trust_db.is_trusted(sig.fingerprint, domain)
69 if is_trusted:
70 return False
71 return True
72 if _queue:
73 next = _queue[0]
74 if still_untrusted(next):
75 next.show()
76 else:
77 next.trust_keys([], domain)
78 next.destroy() # Will trigger this again...
79 self.connect('destroy', destroy)
80
81 self.interface = interface
82 self.sigs = sigs
83 self.iface_xml = iface_xml
84
85 self.set_title('Confirm trust')
86
87 vbox = gtk.VBox(False, 4)
88 vbox.set_border_width(4)
89 self.vbox.pack_start(vbox, True, True, 0)
90
91 self.valid_sigs = [s for s in sigs if isinstance(s, gpg.ValidSig)]
92 if not self.valid_sigs:
93 raise SafeException('No valid signatures found on "%s". Signatures:%s' %
94 (interface.uri, ''.join(['\n- ' + str(s) for s in sigs])))
95
96 notebook = gtk.Notebook()
97
98 if len(self.valid_sigs) == 1:
99 notebook.set_show_tabs(False)
100
101 label = left('Checking: ' + interface.uri)
102 label.set_padding(4, 4)
103 vbox.pack_start(label, False, True, 0)
104
105 currently_trusted_keys = trust.trust_db.get_keys_for_domain(domain)
106 if currently_trusted_keys:
107 keys = [gpg.load_key(fingerprint) for fingerprint in currently_trusted_keys]
108 descriptions = ["%s\n(fingerprint: %s)" % (key.name, pretty_fp(key.fingerprint))
109 for key in keys]
110 else:
111 descriptions = ['None']
112 dialog.frame(vbox, 'Keys already approved for "%s"' % domain, '\n'.join(descriptions))
113
114 if len(self.valid_sigs) == 1:
115 label = left('This key signed the feed:')
116 else:
117 label = left('These keys signed the feed:')
118
119 label.set_padding(4, 4)
120 vbox.pack_start(label, False, True, 0)
121
122 vbox.pack_start(notebook, True, True, 0)
123
124 self.add_button(gtk.STOCK_HELP, gtk.RESPONSE_HELP)
125 self.add_button(gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL)
126 self.add_button(gtk.STOCK_ADD, gtk.RESPONSE_OK)
127 self.set_default_response(gtk.RESPONSE_OK)
128
129 trust_checkbox = {} # Sig -> CheckButton
130 def ok_sensitive():
131 trust_any = False
132 for toggle in trust_checkbox.values():
133 if toggle.get_active():
134 trust_any = True
135 break
136 self.set_response_sensitive(gtk.RESPONSE_OK, trust_any)
137
138 for sig in self.valid_sigs:
139 if hasattr(sig, 'get_details'):
140 name = '<unknown>'
141 details = sig.get_details()
142 for item in details:
143 if item[0] in ('pub', 'uid') and \
144 len(item) > 9:
145 name = item[9]
146 break
147 else:
148 name = None
149 page = gtk.VBox(False, 4)
150 page.set_border_width(8)
151
152 dialog.frame(page, 'Fingerprint', pretty_fp(sig.fingerprint))
153
154 if name is not None:
155 dialog.frame(page, 'Claimed identity', name)
156
157 dialog.frame(page, 'Unreliable hints database says', get_hint(sig.fingerprint))
158
159 already_trusted = trust.trust_db.get_trust_domains(sig.fingerprint)
160 if already_trusted:
161 dialog.frame(page, 'You already trust this key for these domains',
162 '\n'.join(already_trusted))
163
164 trust_checkbox[sig] = gtk.CheckButton('_Trust this key')
165 page.pack_start(trust_checkbox[sig], False, True, 0)
166 trust_checkbox[sig].connect('toggled', lambda t: ok_sensitive())
167
168 notebook.append_page(page, gtk.Label(name or 'Signature'))
169
170 ok_sensitive()
171 self.vbox.show_all()
172
173 def response(box, resp):
174 if resp == gtk.RESPONSE_HELP:
175 trust_help.display()
176 return
177 if resp == gtk.RESPONSE_OK:
178 self.trust_keys([sig for sig in trust_checkbox if trust_checkbox[sig].get_active()], domain)
179 self.destroy()
180 self.connect('response', response)
181
182 def trust_keys(self, sigs, domain):
183 assert domain
184 try:
185 for sig in sigs:
186 trust.trust_db.trust_key(sig.fingerprint, domain)
187
188 trust.trust_db.notify()
189 except Exception, ex:
190 dialog.alert(None, ex)
191 if not isinstance(ex, SafeException):
192 raise
193
194 _queue = []
195 def confirm_trust(interface, sigs, iface_xml, parent):
196 """Display a dialog box asking the user to confirm that one of the
197 keys is trusted for this domain. If a trust box is already visible, this
198 one is queued until the existing one is closed.
199 @param interface: the feed being loaded
200 @type interface: L{model.Interface}
201 @param sigs: the signatures on the feed
202 @type sigs: [L{gpg.Signature}]
203 @param iface_xml: the downloaded (untrusted) XML document
204 @type iface_xml: str
205 """
206 box = TrustBox(interface, sigs, iface_xml, parent)
207 _queue.append(box)
208 if len(_queue) == 1:
209 _queue[0].show()
210 return box.closed
211
212 trust_help = help_box.HelpBox("Trust Help",
213 ('Overview', """
214 When you run a program, it typically has access to all your files and can generally do \
215 anything that you're allowed to do (delete files, send emails, etc). So it's important \
216 to make sure that you don't run anything malicious."""),
217
218 ('Digital signatures', """
219 Each software author creates a 'key-pair'; a 'public key' and a 'private key'. Without going \
220 into the maths, only something encrypted with the private key will decrypt with the public key.
221
222 So, when a programmer releases some software, they encrypt it with their private key (which no-one \
223 else has). When you download it, the injector checks that it decrypts using their public key, thus \
224 proving that it came from them and hasn't been tampered with."""),
225
226 ('Trust', """
227 After the injector has checked that the software hasn't been modified since it was signed with \
228 the private key, you still have the following problems:
229
230 1. Does the public key you have really belong to the author?
231 2. Even if the software really did come from that person, do you trust them?"""),
232
233 ('Key fingerprints', """
234 To confirm (1), you should compare the public key you have with the genuine one. To make this \
235 easier, the injector displays a 'fingerprint' for the key. Look in mailing list postings or some \
236 other source to check that the fingerprint is right (a different key will have a different \
237 fingerprint).
238
239 You're trying to protect against the situation where an attacker breaks into a web site \
240 and puts up malicious software, signed with the attacker's private key, and puts up the \
241 attacker's public key too. If you've downloaded this software before, you \
242 should be suspicious that you're being asked to confirm another key!"""),
243
244 ('Reputation', """
245 In general, most problems seem to come from malicous and otherwise-unknown people \
246 replacing software with modified versions, or creating new programs intended only to \
247 cause damage. So, check your programs are signed by a key with a good reputation!"""))
248
249 hints = {
250 '1DC295D11A3F910DA49D3839AA1A7812B40B0B6E' :
251 'Ken Hayber has been writing ROX applications since 2003. This key '
252 'was announced on the rox-users list on 5 Jun 2005.',
253
254 '4338D5420E0BAEB6B2E73530B66A4F24AB8B4B65' :
255 'Thomas Formella is experimenting with packaging programs for 0launch. This key '
256 'was announced on 11 Sep 2005 on the zero-install mailing list.',
257
258 '92429807C9853C0744A68B9AAE07828059A53CC1' :
259 'Thomas Leonard created Zero Install and ROX. This key is used to sign updates to the '
260 'injector; you should accept it.',
261
262 'DA9825AECAD089757CDABD8E07133F96CA74D8BA' :
263 'Thomas Leonard created Zero Install and ROX. This key is used to sign updates to the '
264 'injector; you should accept it. It was announced on the Zero Install mailing list '
265 'on 2009-05-31.',
266
267 '0597A2AFB6B372ACB97AC6E433B938C2E9D8826D' :
268 'Stephen Watson is a project admin for the ROX desktop, and has been involved with the '
269 'project since 2000. This key has been used for signing software since the 23 Jul 2005 '
270 'announcement on the zero-install mailing list.',
271
272 'F0A0CA2A8D8FCC123F5EC04CD8D59DC384AE988E' :
273 'Piero Ottuzzi is experimenting with packaging programs for 0launch. This key has been '
274 'known since a 16 Mar 2005 post to the zero-install mailing list. It was first used to '
275 'sign software in an announcement posted on 9 Aug 2005.',
276
277 'FC71DC3364367CE82F91472DDF32928893D894E9' :
278 'Niklas Höglund is experimenting with using Zero Install on the Nokia 770. This key has '
279 'been known since the announcement of 4 Apr 2006 on the zero-install mailing list.',
280
281 'B93AAE76C40A3222425A04FA0BDA706F2C21E592' :
282 'Ilja Honkonen is experimenting with packaging software for Zero Install. This key '
283 'was announced on 2006-04-21 on the zero-install mailing list.',
284
285 '5D3D90FB4E6FE10C7F76E94DEE6BC26DBFDE8022' :
286 'Dennis Tomas leads the rox4debian packaging effort. This key has been known since '
287 'an email forwarded to the rox-devel list on 2006-05-28.',
288
289 '2E2B4E59CAC8D874CD2759D34B1095AF2E992B19' :
290 'Lennon Cook creates the FreeBSD-x86 binaries for various ROX applications. '
291 'This key was announced in a Jun 17, 2006 post to the rox-devel mailing list.',
292
293 '7722DC5085B903FF176CCAA9695BA303C9839ABC' :
294 'Lennon Cook creates the FreeBSD-x86 binaries for various ROX applications. '
295 'This key was announced in an Oct 5, 2006 post to the rox-users mailing list.',
296
297 '03DC5771716A5A329CA97EA64AB8A8E7613A266F' :
298 'Lennon Cook creates the FreeBSD-x86 binaries for various ROX applications. '
299 'This key was announced in an Oct 7, 2007 post to the rox-users mailing list.',
300
301 '617794D7C3DFE0FFF572065C0529FDB71FB13910' :
302 'This low-security key is used to sign Zero Install interfaces which have been '
303 "automatically generated by a script. Typically, the upstream software didn't "
304 "come with a signature, so it's impossible to know if the code is actually OK. "
305 "However, there is still some benefit: if the archive is modified after the "
306 "script has signed it then any further changes will be detected, so this isn't "
307 "completely pointless.",
308
309 '5E665D0ECCCF1215F725BD2FA7421904E3D1B654' :
310 'Daniel Carrera works on the OpenDocument viewer from opendocumentfellowship.org. '
311 'This key was confirmed in a zero-install mailing list post on 2007-01-09.',
312
313 '635469E565B8D340C2C9EA4C32FBC18CE63EF486' :
314 'Eric Wasylishen is experimenting with packaging software with Zero Install. '
315 'This key was announced on the zero-install mailing list on 2007-01-16 and then lost.',
316
317 'E5175248514E9D4E558B5925BC456918F32AC5D1' :
318 'Eric Wasylishen is experimenting with packaging software with Zero Install. '
319 'This key was announced on the zero-install mailing list on 2008-12-07',
320
321 'C82D382AAB381A54529019D6A0F9B035686C6996' :
322 "Justus Winter is generating Zero Install feeds from pkgsrc (which was originally "
323 "NetBSD's ports collection). This key was announced on the zero-install mailing list "
324 "on 2007-06-01.",
325
326 'D7582A2283A01A6480780AC8E1839306AE83E7E2' :
327 'Tom Adams is experimenting with packaging software with Zero Install. '
328 'This key was announced on the zero-install mailing list on 2007-08-14.',
329
330 '3B2A89E694686DC4FEEFD6F6D00CA21EC004251B' :
331 'Tuomo Valkonen is the author of the Ion tiling window manager. This key fingerprint '
332 'was taken from http://modeemi.fi/~tuomov/ on 2007-11-17.',
333
334 'A14924F4DFD1B81DED3436240C9B2C41B8D66FEA' :
335 'Andreas K. Förster is experimenting with creating Zero Install feeds. '
336 'This key was announced in a 2008-01-25 post to the zeroinstall mailing list.',
337
338 '520DCCDBE5D38E2B22ADD82672E5E2ACF037FFC4' :
339 'Thierry Goubier creates PPC binaries for the ROX desktop. This key was '
340 'announced in a 2008-02-03 posting to the rox-users list.',
341
342 '517085B7261D3B03A97515319C2C2CD1D41AF5BB' :
343 'Frank Richter is a developer of the Crystal Space 3D SDK. This key was '
344 'confirmed in a 2008-09-04 post to the zero-install-devel mailing list.',
345 }