pulp_rpm icon indicating copy to clipboard operation
pulp_rpm copied to clipboard
verified publisher icon pulp

Add support for Rpm Package signing

Open pedro-psb opened this issue 1 year ago • 7 comments

This is a draft for implementing Rpm Package support in pulp_rpm.

My plan is (not necessarily in this order):

  • [x] write test for service registration and validation with sample script (using rpm --addsign)
  • [x] implement the RpmPackageSigningService model
  • [x] write unit test for RpmTool
  • [x] write functional tests with sample script (using rpm --addsign)
  • [x] implement the API options and add new model fields
  • [x] implement the signing call logic (I need to find the right spots to call it)
  • [x] add documentation

other:

  • [x] Fix tests: rpm-tool requires permission to access to /var/lib/rpm. Currently, my workaround is to change the permission of this folder, but I believe that's not an ideal approach.
  • [x] Ship empty RPM package (for signing service validation).
  • [x] Investigate why the functional test fails on on azure and s3.
  • [x] Don't build an empty rpm on each validate call.
  • [x] Decouple key used for signing from a specific signing service, so the same signing service can use different keys.

closes #2986

pedro-psb avatar Feb 05 '24 22:02 pedro-psb

#closes is wrong ;)

ipanova avatar Feb 07 '24 17:02 ipanova

Ops

pedro-psb avatar Feb 07 '24 18:02 pedro-psb

Just a question. Why do you need a new rpm package signing service ? Why core signing service can't do the job ?

bersace avatar Apr 12 '24 12:04 bersace

Just a question. Why do you need a new rpm package signing service ? Why core signing service can't do the job ?

Our signing service models relies on the implementation of a validation method, which assures a registered signing script can really perform a specific type of signing on a file. Currently, the only pulpcore signing service implementation is for detached signatures, so we need another that knows how to validate an rpm package signature, which is "attached" and requires using the rpm cli tool.

https://github.com/pulp/pulpcore/blob/9192c2bf0ccb0e0a2df595fd3efdd0980c80ff34/pulpcore/app/models/content.py#L884

pedro-psb avatar Apr 12 '24 12:04 pedro-psb

@pedro-psb ok, got it. It's like pulp_deb:AptReleaseSigningService, you use it with --class ?

bersace avatar Apr 12 '24 14:04 bersace

Yes, in the pulpcore-manager command you can specify what type of signing service you are registering through the --class option. If ommited, it will use the detached one I've linked.

pedro-psb avatar Apr 12 '24 16:04 pedro-psb

We should document the limitations and give the feature a tech preview label

dralley avatar May 16 '24 15:05 dralley

@ipanova The last commit modifies the way signing is triggered. Now if there is an associated repository and it contains the package_signing_service field, the upload process will try to sign the uploaded package.

I will rebase that commit after approval.

pedro-psb avatar Jun 10 '24 16:06 pedro-psb

This change looks good to me, thanks for adding it!

ipanova avatar Jun 11 '24 15:06 ipanova

Rebased

pedro-psb avatar Jun 11 '24 18:06 pedro-psb

@pedro-psb You may merge :)

I'm not sure if it will let you until we get the CI issues fixed though. That's being worked on

dralley avatar Jun 11 '24 23:06 dralley