Add support for Rpm Package signing #3425
Conversation
github-actions
bot
added
the
multi-commit
|
#closes is wrong ;) |
|
Ops |
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
5 times, most recently
from
5807490 to
d3f921c
Compare
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
4 times, most recently
from
9cdd600 to
9299ed4
Compare
| } | ||
| upload_task_href = rpm_package_api.create(**upload_attrs).task | ||
| package_href = monitor_task(upload_task_href).created_resources[2] | ||
| package_loc_href = rpm_package_api.read(package_href).location_href |
There was a problem hiding this comment.
@dralley I'm using rpm_package_api.create direcly here, and it seems to be "leaking" throughout runs (I can see the number of artifacts increasing at each run).
I'm not sure what is the recommended way to keep runs as isolated as possible. Is it using gen_object_with_cleanup? I've tried that but then I receive an empty package.
I could use feedback about the general use of fixtures here as well.
There was a problem hiding this comment.
gen_object_with_cleanup is generally used with deletable resources like remotes, repositories, etc. Content isn't considered deletable, it goes through the orphan cleanup process which is indirect. Generally a test that needs completely fresh state (that is, deleting any previous content / artifacts and then re-creating them) will call orphan cleanup first and otherwise we'll just let it be.
It's perfectly OK to let the content / artifacts accumulate unless you need the test to create a new content / artifact during the test run which cannot pre-exist. Running orphan cleanup all the time unnecessarily would slow down the tests quite a bit.
There was a problem hiding this comment.
Running orphan cleanup all the time unnecessarily would slow down the tests quite a bit.
Yeah, true. Thanks for the clarification
|
Just a question. Why do you need a new rpm package signing service ? Why core signing service can't do the job ? |
Our signing service models relies on the implementation of a validation method, which assures a registered signing script can really perform a specific type of signing on a file. Currently, the only pulpcore signing service implementation is for detached signatures, so we need another that knows how to validate an rpm package signature, which is "attached" and requires using the |
|
@pedro-psb ok, got it. It's like |
|
Yes, in the |
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
6 times, most recently
from
ef49b8b to
d833e55
Compare
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
from
fe2849f to
220629e
Compare
pulp_rpm/app/tasks/signing.py
Outdated
| package_signing_service = RpmPackageSigningService.objects.get(pk=signing_service_pk) | ||
| uploaded_package = PulpTemporaryFile.objects.get(pk=temporary_file_pk) | ||
| with NamedTemporaryFile(mode="wb", dir=".", delete=False) as final_package: | ||
| print("*" * 100) |
| item | ||
| for item in (serializer.validated_data.get(key) for key in ("upload", "repository")) | ||
| if item | ||
| ] |
There was a problem hiding this comment.
[serializer.validated_data.get("upload"), serializer.validated_data.get("repository")] might be simpler
| sign_package=True, | ||
| ) | ||
| package_a_href = monitor_task(upload_response.task) | ||
| # import epdb;epdb.serve(port=12345) |
pulp_rpm/tests/unit/test_rpm_tool.py
Outdated
| return file | ||
|
|
||
|
|
||
| def test_get_empty_rpm_is_valid(tmp_path, monkeypatch): |
There was a problem hiding this comment.
Probably not necessary - either the empty rpm is there or it's not
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
from
220629e to
0956ff6
Compare
|
We should document the limitations and give the feature a tech preview label |
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
from
0956ff6 to
9de4d87
Compare
github-actions
bot
removed
the
multi-commit
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
3 times, most recently
from
a1b4c25 to
af6855c
Compare
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
from
af6855c to
0b3505e
Compare
CHANGES/2986.feature
Outdated
| @@ -0,0 +1 @@ | |||
| Added supported for signing RPM Packages on upload. | |||
There was a problem hiding this comment.
Consider adding a sentence that this is in tech preview
| @@ -0,0 +1,72 @@ | |||
| import tempfile | |||
There was a problem hiding this comment.
hmm, maybe having this in modes/repository.py or models/signing_service.py will be better?
There was a problem hiding this comment.
I've followed pulpcore, which defines the base SigningService under content. But I agree, models/signing_service.py feels better (and its what pulp_deb does also).
|
|
||
| 1. Create a signing script capable of signing an RPM Package. | ||
| - The script receives a file path as its first argument. | ||
| - The script should return a json-formatted. No signature is required, since its embedded. |
| 1. Register it with `pulpcore-manager add-signing-service`. | ||
| - The `--class` should be `rpm:RpmPackageSigningService`. | ||
| - The key provided here serves only for validating the script. | ||
| The signing fingerprint are provided dynamically, as [on upload signing](site:pulp_rpm/docs/user/guides/06-sign-packages/#on-upload). |
| ### Example | ||
|
|
||
| ```bash | ||
| # Create a Repository w/ required porams |
| pulp rpm content upload \ | ||
| --repository ${REPOSITORY} \ | ||
| --file ${FILE} \ | ||
| --sign-package True |
There was a problem hiding this comment.
Do I read this correctly that one need to specify on upload per package whether to sign it or not? Meaning that in repo there could be mixture of signed/unsigned content?
Have we considered to automatically sign on upload if the package signing service was defined on the repo?In the similar fashion as we do with metadata signing service?
There was a problem hiding this comment.
Yes, you understand correctly.
I remember we have discussed the possibility of doing something similar to this, I'm not sure why I didn't commit to this design.
I'll do like that, really looks more consistent with the usecase we want to support.
github-actions
bot
added
the
multi-commit
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
2 times, most recently
from
2492b1c to
243c56f
Compare
|
@ipanova The last commit modifies the way signing is triggered. Now if there is an associated repository and it contains the package_signing_service field, the upload process will try to sign the uploaded package. I will rebase that commit after approval. |
|
This change looks good to me, thanks for adding it! |
What this does: - Create RpmPackageSigningService - Create RpmTool utility - Add fields to Repository model - Add branch on Package upload to sign the package with the associated SigningService and fingerprint. - Add docs - Use presence of SigningService at Repo as signing trigger Closes pulp#2986
pedro-psb
force-pushed
the
add-rpm-sign-support
branch
from
243c56f to
0aa467b
Compare
github-actions
bot
removed
the
multi-commit
|
Rebased |
|
@pedro-psb You may merge :) I'm not sure if it will let you until we get the CI issues fixed though. That's being worked on |
This is a draft for implementing Rpm Package support in pulp_rpm.
My plan is (not necessarily in this order):
rpm --addsign)rpm --addsign)other:
/var/lib/rpm.Currently, my workaround is to change the permission of this folder, but I believe that's not an ideal approach.
closes #2986