pulp_rpm icon indicating copy to clipboard operation
pulp_rpm copied to clipboard
verified publisher icon pulp

Make package signing idempotent

Open daviddavis opened this issue 5 months ago • 3 comments

Is your feature request related to a problem? Please describe. We have a couple use cases where I think Pulp would needlessly re-sign a package even though it's already signed it with the package service and key:

  1. A user uploads a package into a repo a second time
  2. A user uploads a package into two repos that have the same signing service and key

Based on my reading of the code, I think Pulp would sign the package twice in these cases (and create two package artifacts/records/etc).

Describe the solution you'd like Ideally, Pulp would check to see if it has already signed a package before attempting to sign it.

One option might be a package signing history table with the original package checksum, signing service, key fingerprint, and resulting package id. Before attempting to sign a package, Pulp could check the table and just use the existing package id if it exists thereby avoiding calling package signing a second time.

daviddavis avatar Jul 08 '25 12:07 daviddavis

Wouldn't this just fall out of implementing #4045 ?

ggainey avatar Jul 08 '25 12:07 ggainey

Comments from discussion:

  • The desire is to not-sign an incoming unsigned RPM if it's ever been signed with the specified signing-script/key anywhere in pulp
  • Pipelines that blindly re-upload will create "new" RPMs for the same binary since each time an RPM is signed its signature changes
  • would work for upload, but interacts badly/collides-with on_demand syncing (and always-checking-package-metadata even on_demand has some serious performance issues)

ggainey avatar Jul 08 '25 13:07 ggainey

Un-triaging this, but we may later decide that this is a dup of #4044 in practice.

dralley avatar Jul 24 '25 15:07 dralley