pulp_rpm icon indicating copy to clipboard operation
pulp_rpm copied to clipboard
verified publisher icon pulp

Add metadata_signing_fingerprint to repository

Open daviddavis opened this issue 5 months ago • 3 comments

Is your feature request related to a problem? Please describe. I really like how pulp_rpm handles package signing services: you can create a single service and then set the key you want to sign with per repository. This reflects the real world more accurately: you typically have one signing service but you would use different keys for each repo.

Today for metadata signing, you have to set the key on the signing service which means that for us (because we have multiple keys), we have to create and manage a signing service for each key. We're going to end up with 10s of services even though really we just have one.

Describe the solution you'd like I'm imagining pulp_rpm could add a new field to repository metadata_signing_fingerprint that would be mirror package_signing_fingerprint. When the repo metadata is signed, it could use this field. For backwards compatibility, the field could default to null in which case, signing would use the signing service key.

Describe alternatives you've considered The real issue is the pain involved is managing signing services. I have another issue filed to request that we can create signing services with the API. However, setting the key per repo would be a much preferable solution to having to manage many, many signing services.

Additional context Add any other context about the feature request here.

daviddavis avatar Jul 15 '25 11:07 daviddavis

If we can add metadata_signing_fingerprint, then https://github.com/pulp/pulpcore/issues/6733 is no longer necessary (at least for us).

daviddavis avatar Jul 15 '25 11:07 daviddavis

I brought this up at open floor. Here are my notes:

  • No obvious concerns with this
  • Will try to add this to pulp_deb as part of the work to add package signing
  • Maybe put the field on the Repository model in pulpcore?

daviddavis avatar Jul 15 '25 14:07 daviddavis

A few points:

  • Probably makes sense to keep it in the plugins for now, since metadata signing doesn't apply to all content types - so not pulpcore
  • If we do that, it would be best to keep the name somewhat more specific (e.g. "rpm_metadata_signing_fingerprint") so that if it were later moved, it's not going to cause migration issues
  • ~~We would need some way to attach a second signing service to deal with the metadata, since the script used to sign the packages isn't going to work for the metadata~~
    • Turns out we already have this! Note: it's missing from the RpmRepository model docstring

dralley avatar Jul 24 '25 15:07 dralley