Feature Request: GPGFetch

[RubenKelevra]

I noticed that aura is lacking a function to automatically fetch unknown GPG keys from PKGBUILDs, which was kind of nice that paru would handle that automatically.

$ man paru.conf | grep "PgpFetch" -A1
       PgpFetch
              Prompt to import unknown PGP keys from the validpgpkeys field of each PKGBUILD.

I was wondering if Aura could get a similar function, maybe with some more security in mind. So the user would acknowledge the GPG key-id on import and if the key-id in the PKGBUILD changes, there would be a warning message that this happened, which the user needs to acknowledge, too, before the new key is presented as to be imported.

Currently the build just fails at the time the GPG key needs to verify the source file:

$ aura -A firefox-nightly-de-bin
[...]
==> Validating source files with sha512sums...
    firefox-nightly.desktop ... Passed
    policies.json ... Passed
==> Validating source_x86_64 files with sha512sums...
    firefox-131.0a1.de.linux-x86_64.tar.bz2 ... Skipped
    firefox-131.0a1.de.linux-x86_64.tar.bz2.asc ... Skipped
==> Verifying source file signatures with gpg...
    firefox-131.0a1.de.linux-x86_64.tar.bz2 ... FAILED (unknown public key E36D3B13F3D93274)
==> ERROR: One or more PGP signatures could not be verified!
aura :: Package failed to build, citing:

  makepkg failed.

aura :: Action cancelled.

[fosskers]

While such a feature would be quite convenient, it also poses a security risk. I can see many users impatiently accepting the key just to get on with their lives, and I'm not sure it's right to enable that behaviour.

[stereomato]

Maybe display a disclaimer each time that's done? People will accept whatever keys anyway if they wanna install something anyway, and arch users should also know that they should be responsible.

[RubenKelevra]

While such a feature would be quite convenient, it also poses a security risk. I can see many users impatiently accepting the key just to get on with their lives, and I'm not sure it's right to enable that behaviour.

There's no difference in terms of security, regardless if Aura does the import or an "impatient user" would paste some random commands on the console.

I think a well designed prompt would potentially improve security here, as @stereomato points out.

[AladW]

A safer approach is to use a separate keyring for AUR packages, instead of automatically dumping keys into the user's keyring. This can be passed on to makepkg with the GNUPGHOME environment variable.

This also requires no additional prompts to annoy the user.

[RubenKelevra]

A safer approach is to use a separate keyring for AUR packages, instead of automatically dumping keys into the user's keyring. This can be passed on to makepkg with the GNUPGHOME environment variable.

This also requires no additional prompts to annoy the user.

Agreed. I think that's what paru is doing as well, isn't it? 🤔

[AladW]

I think paru naively imports keys into the user keyring. FWIW, I added it in aurutils here: https://github.com/aurutils/aurutils/pull/1180

[RubenKelevra]

I think paru naively imports keys into the user keyring.

I don't think so, as I had to create a user key with gpg for aura, after using paru for a while on a fairly new system.