To get this functionality, we changed a file in /etc/polkit-1/localauthority and set
ResultActive to yes (instead of auth_admin) for org.freedesktop.packagekit.package-install -only-. (I'm not 100% sure about the filename as I have limited access to our test environment right now)
Interesting that this worked, as polkit has dropped the localauthority backend and only does javascript rules now. My bad. I just remembered a way to get my hands on our current autoyast-scripts and we aren't actually editing a file in /etc/polkit-1/..., we just do:
I have a hard time finding how PackageKit internally decides that its "untrusted".
I however think that the PackageKit zypp backend might not be reporting this correctly. So the zypp backend might wrongfully report the same for packages that are signed, unsigned, or signed with an unknown key, resulting in apper (I'm pretty sure it was apper, but I'll get my facts straight as soon as
echo "org.freedesktop.packagekit.package-install no:no:yes" >> /etc/polkit-default-privs.local /sbin/set_polkit_default_privs in a post-script (autoyast). We aren't adding org.freedesktop.packagekit.package-install-untrusted, though, so from what I gathered on the net users shouldn't be able to install unsigned software, but they are. (I'm guessing that org.freedesktop.packagekit.package-install shouldn't allow the installation of foreign packages because https://bugzilla.redhat.com/show_bug.cgi?id=534047 describes that it was added as a default in fedora 12 to allow users to install software as non-root, but only from trusted repositories. And because package-install-untrusted wouldn't be very useful if package-install already covered all packages :) ) possible, sorry) installing them because it has no way of knowing that the package is untrusted?
You will probably need to ask our zypp gurus :/ Do they frequent this list, too?
Thanks for your help, Andreas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org