Bug 428125 - local file installation broken because of only-trusted
Summary: local file installation broken because of only-trusted
Status: RESOLVED FIXED
Alias: None
Product: Discover
Classification: Applications
Component: PackageKit (show other bugs)
Version: unspecified
Platform: Other Linux
: VHI normal
Target Milestone: ---
Assignee: Dan Leinir Turthra Jensen
URL:
Keywords: regression
: 426752 427898 429214 429396 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-10-23 08:56 UTC by Harald Sitter
Modified: 2020-11-20 14:54 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In: 5.20.4


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harald Sitter 2020-10-23 08:56:29 UTC
SUMMARY
local deb (and probably rpm) installation is called with the `only-trusted` transaction flag. At least for deb that makes no sense, a randomly side loaded deb will almost never pass signature validation and as a consequence installing side loaded debs never works because they can't be validated.

This is different from pkcon which doesn't set the flag and works as expected.

STEPS TO REPRODUCE
1. on neon
2. download https://www.microsoftedgeinsider.com/en-us/download/?platform=linux
3. open
4. click install

OBSERVED RESULT
'cannot install from unsigned repo' error

EXPECTED RESULT
deb installs

ADDITIONAL INFORMATION
Debug output from packagekit

Discover:
10:47:36        PackageKit          InstallFiles method called: /home/me/Downloads/microsoft-edge-dev_88.0.673.0-1_amd64.deb (transaction_flags: only-trusted)

pkcon (working):
10:48:01        PackageKit          InstallFiles method called: /home/me/Downloads/microsoft-edge-dev_88.0.673.0-1_amd64.deb (transaction_flags: none)
Comment 1 Nate Graham 2020-10-26 15:43:03 UTC
Is this a thing we can fix from within Discover?
Comment 2 Harald Sitter 2020-10-27 16:02:14 UTC
Sure. The packagekit transaction needs to be created with the right flags.
Comment 3 Nate Graham 2020-10-27 19:31:11 UTC
OK cool. Something must have changed recently because this totally used to work.
Comment 4 Harald Sitter 2020-10-30 10:51:09 UTC
*** Bug 426752 has been marked as a duplicate of this bug. ***
Comment 5 Bug Janitor Service 2020-11-12 16:43:53 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/discover/-/merge_requests/45
Comment 6 Alexander Lohnau 2020-11-12 17:10:17 UTC
Git commit 34d82541ab5dabeb284e081878f49d476c4c0403 by Alexander Lohnau.
Committed on 12/11/2020 at 17:10.
Pushed by alex into branch 'master'.

Fix installation of local packages

In newer versions they were considered untrusted, that
is why the installation always failed.
FIXED-in: 5.20.4

M  +5    -1    libdiscover/backends/PackageKitBackend/PKTransaction.cpp

https://invent.kde.org/plasma/discover/commit/34d82541ab5dabeb284e081878f49d476c4c0403
Comment 7 Alexander Lohnau 2020-11-12 17:12:27 UTC
Git commit 0db81d6e944356c07bd38994afc1c5f4ec19f6e1 by Alexander Lohnau.
Committed on 12/11/2020 at 17:10.
Pushed by alex into branch 'Plasma/5.20'.

Fix installation of local packages

In newer versions they were considered untrusted, that
is why the installation always failed.
FIXED-in: 5.20.4

M  +5    -1    libdiscover/backends/PackageKitBackend/PKTransaction.cpp

https://invent.kde.org/plasma/discover/commit/0db81d6e944356c07bd38994afc1c5f4ec19f6e1
Comment 8 Nate Graham 2020-11-12 17:13:23 UTC
I wonder if this is worth backporting to 5.18 too?
Comment 9 Patrick Silva 2020-11-17 02:10:25 UTC
*** Bug 429214 has been marked as a duplicate of this bug. ***
Comment 10 Patrick Silva 2020-11-19 16:08:43 UTC
*** Bug 427898 has been marked as a duplicate of this bug. ***
Comment 11 Harald Sitter 2020-11-20 14:54:27 UTC
*** Bug 429396 has been marked as a duplicate of this bug. ***