Project

Profile

Help

Story #1156

As a user, I can have an "signature" attribute stored for RPMs, SRPMs, and DRPMs

Added by jluza over 6 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
2.10.0
Groomed:
Yes
Sprint Candidate:
Yes
Tags:
Pulp 2
Sprint:
Sprint 4
Quarter:

Description

Pulp currently doesn't support the signature attribute for rpm, srpm, or drpm packages. When an RPM, SRPM, or DRPM is either uploaded or imported via sync, the signature should be extracted from the file and stored.

Where to store the attribute?

The NonMetadataPackage model is the ancestor of RPM, SRPM, and DRPM so the attribute should be stored there.

Suggested change is here: https://github.com/release-engineering/pulp_rpm/commit/f31f90d864fb884710d3da07a1b9644e98f04a53

This will allow further package verification process based on the signature which is story #1991. https://pulp.plan.io/issues/1991
We don't need all signature information header, but just the signing key, so more appropriate name for the attribute would be 'signing_key'


Related issues

Blocks RPM Support - Story #1991: As a user, uploaded units which don't pass the signature check are not importedCLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision 71041669 View on GitHub
Added by ipanova@redhat.com over 5 years ago

"signature" is stored for RPMs, SRPMs, and DRPMs.

closes #1156 https://pulp.plan.io/issues/1156

During upload or sync of a package, the signature is extracted from the package header and is stored as an attribute for rpms/srpms/drms.

History

#1 Updated by ipanova@redhat.com over 6 years ago

  • Project changed from Pulp to RPM Support

#2 Updated by mhrivnak over 6 years ago

  • Tracker changed from Issue to Story
  • Subject changed from rpm should have "signature" attribute in metadata to As a user, i can see an rpm's "signature" attribute in metadata
  • Groomed set to No
  • Sprint Candidate set to Yes

#3 Updated by mhrivnak almost 6 years ago

  • Priority changed from Normal to High

#4 Updated by bmbouter almost 6 years ago

  • Parent task set to #1683

#5 Updated by dkliban@redhat.com over 5 years ago

This should be broken up in two stories.

1) Pulling out the signature from RPM on upload and storing the signature as a searchable field.

2) Verifying the signature during a publish and only including correctly signed RPMs

#6 Updated by mhrivnak over 5 years ago

  • Sprint Candidate changed from Yes to No

#7 Updated by bmbouter over 5 years ago

  • Sprint Candidate changed from No to Yes

#8 Updated by bmbouter over 5 years ago

  • Related to Story #1991: As a user, uploaded units which don't pass the signature check are not imported added

#9 Updated by bmbouter over 5 years ago

  • Description updated (diff)

Moved the "upload" case to #1991

#10 Updated by bmbouter over 5 years ago

  • Subject changed from As a user, i can see an rpm's "signature" attribute in metadata to As a user, I can have an rpm's "signature" attribute stored on the model
  • Description updated (diff)

#11 Updated by bmbouter over 5 years ago

What about other types like SRPM or DRPMs? This should be modeled on the right class which probably isn't RPM itself. This needs to be answered before continuing.

#12 Updated by mhrivnak over 5 years ago

Probably "Yes" for all three. RPM and SRPM are practically the same thing, so we'll likely just put an attribute on RpmBase and put both models through the same code path to get the signature. DRPM might be a little different, but maybe not.

#13 Updated by bmbouter over 5 years ago

  • Subject changed from As a user, I can have an rpm's "signature" attribute stored on the model to As a user, I can have an "signature" attribute stored for RPMs and SRPMs
  • Description updated (diff)

Updating to indicate we are doing this for RPM and SRPM.

#14 Updated by bmbouter over 5 years ago

Also DRPM intherits through a different path so I had planned on not incorporating them in this way. What do you think?

#15 Updated by mhrivnak over 5 years ago

Our RCM folks don't use DRPMs, so that's one factor. I suspect that it will be such little extra work to handle DRPMs while already doing SRPM and RPM, that it'll make sense to just get it all done at once. I found that to be the case with the checksum work recently. It could still be split out into a separate story if you prefer, but I'd lean toward adding a note to this issue to do DRPM as long as it's a no-brainer, and otherwise create a new story for it.

I do think that feature-wise, DRPMs should have the same gpg features as RPMs. Even if nobody is asking for it right now, the overall gpg story in pulp_rpm would be incomplete without it. So if we do defer that work, we should at least track it and try to prioritize it in the future.

#16 Updated by bmbouter over 5 years ago

  • Subject changed from As a user, I can have an "signature" attribute stored for RPMs and SRPMs to As a user, I can have an "signature" attribute stored for RPMs, SRPMs, and DRPMs
  • Description updated (diff)

Let's include DRPMs, I've updated the story to match.

#17 Updated by mhrivnak over 5 years ago

  • Groomed changed from No to Yes

Sounds good. I suggest storing the signature on NonMetadataPackage. Eventually, when we model individual files in the platform, it will likely make sense to move the signature there. While accessing a signature is highly dependent on the kind of content, using it should be generic. It's actually a lot like a checksum. Figuring out where to get it is type-specific, but storing and using it works the same.

#18 Updated by Anonymous over 5 years ago

  • Sprint/Milestone set to 22

#19 Updated by bmbouter over 5 years ago

  • Related to deleted (Story #1991: As a user, uploaded units which don't pass the signature check are not imported)

#20 Updated by bmbouter over 5 years ago

  • Blocks Story #1991: As a user, uploaded units which don't pass the signature check are not imported added

#21 Updated by bmbouter over 5 years ago

  • Description updated (diff)

Updating to recommend the NonMetadataPackage as the place to store this attribute.

#22 Updated by ipanova@redhat.com over 5 years ago

  • Assignee set to ipanova@redhat.com

#23 Updated by bmbouter over 5 years ago

  • Status changed from NEW to ASSIGNED

#24 Updated by ipanova@redhat.com over 5 years ago

  • Status changed from ASSIGNED to POST

#25 Updated by ipanova@redhat.com over 5 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#26 Updated by ipanova@redhat.com over 5 years ago

  • Platform Release set to 2.10.0

#27 Updated by semyers over 5 years ago

  • Status changed from MODIFIED to 5

#29 Updated by Ichimonji10 over 5 years ago

  • Status changed from 5 to ASSIGNED

This feature seems to be implemented, except that Pulp names the attribute "signing_key," not "signature."

#30 Updated by Ichimonji10 over 5 years ago

To clarify, here's an example of a single result returned by a call to POST /{repository_href}/search/units/. Notice the obj['metadata']['signing_key'] attribute.

{'_id': {'$oid': '57acac7c189c7a1b5fa56e3c'},
 'created': '2016-08-11T16:49:00Z',
 'metadata': {'_content_type_id': 'srpm',
              '_id': 'b266b670-644c-4b43-b866-5843243e010a',
              '_last_updated': 1470934140,
              '_ns': 'units_srpm',
              '_storage_path': '/var/lib/pulp/content/units/srpm/01/d3b1d5e32fae6b044e0c07529c763bea083f387c245da1b106e96599197319/78459f5c-cb18-40e1-a912-ef8cdd6b67ea',
              'arch': 'src',
              'build_time': 1331302125,
              'buildhost': 'localhost',
              'changelog': [],
              'checksum': 'f9d40aa83892c5da05e5b94d8428ff744c27bfad363f31c18454ca797e8306cc',
              'checksums': {'md5': 'e5213cb8f1c75a638763f209324e72de',
                            'sha1': '6412b4b2113eb40c964dc3325d8e23bce853f8e7',
                            'sha256': 'f9d40aa83892c5da05e5b94d8428ff744c27bfad363f31c18454ca797e8306cc'},
              'checksumtype': 'sha256',
              'description': '\nThis is a test rpm',
              'downloaded': True,
              'epoch': '0',
              'filename': 'test-srpm02-1.0-1.src.rpm',
              'files': {},
              'header_range': {},
              'license': 'GPLv2',
              'name': 'test-srpm02',
              'provides': [],
              'pulp_user_metadata': {},
              'relativepath': 'test-srpm02-1.0-1.src.rpm',
              'release': '1',
              'release_sort_index': '01-1',
              'repodata': {'filelists': '',
                           'other': '',
                           'primary': ''},
              'requires': [],
              'signing_key': '269d9d98',
              'time': 1470934139,
              'version': '1.0',
              'version_sort_index': '01-1.01-0'},
 'repo_id': '8546305a-45d4-4b9d-beef-d4fd6b70d639',
 'unit_id': 'b266b670-644c-4b43-b866-5843243e010a',
 'unit_type_id': 'srpm',
 'updated': '2016-08-11T16:49:00Z'}

#31 Updated by ipanova@redhat.com over 5 years ago

Ichimonji10 wrote:

This feature seems to be implemented, except that Pulp names the attribute "signing_key," not "signature."

We renamed that to signing_key because we thought that this name would be more appropriate

#32 Updated by Ichimonji10 over 5 years ago

I want to make sure there's an explicit acknowledgement from the dev side that the solution as implemented is different from what's asked for in the requirements, above. If y'all are OK with it, then I'm OK with it.

#33 Updated by ipanova@redhat.com over 5 years ago

  • Description updated (diff)

#34 Updated by Ichimonji10 over 5 years ago

  • Status changed from ASSIGNED to 5

#35 Updated by Ichimonji10 about 5 years ago

  • Status changed from 5 to 6

Verified against a Pulp 2.10.0 system provisioned this morning.

(pulp-smash2) [ichimonji10@beech:pulp-smash]$ python -m unittest2 pulp_smash.tests.rpm.api_v2.test_signatures_saved_for_packages
.......s..
----------------------------------------------------------------------
Ran 10 tests in 165.197s

OK (skipped=1)
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ git grep 1156
pulp_smash/tests/rpm/api_v2/test_signatures_saved_for_packages.py:* `Pulp #1156 <https://pulp.plan.io/issues/1156>`_
pulp_smash/tests/rpm/api_v2/test_signatures_saved_for_packages.py:        if selectors.bug_is_untestable(1156, cls.cfg.version):
pulp_smash/tests/rpm/api_v2/test_signatures_saved_for_packages.py:            raise unittest2.SkipTest('https://pulp.plan.io/issues/1156')
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ ssh $hostname rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.0-0.4.beta.fc24.noarch
pulp-docker-admin-extensions-2.1.0-0.2.beta.fc24.noarch
pulp-docker-plugins-2.1.0-0.2.beta.fc24.noarch
pulp-ostree-admin-extensions-1.1.3-1.fc24.noarch
pulp-ostree-plugins-1.1.3-1.fc24.noarch
pulp-puppet-admin-extensions-2.10.0-0.1.beta.fc24.noarch
pulp-puppet-plugins-2.10.0-0.1.beta.fc24.noarch
pulp-python-admin-extensions-1.1.3-1.fc24.noarch
pulp-python-plugins-1.1.3-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.0-0.4.beta.fc24.noarch
pulp-rpm-plugins-2.10.0-0.4.beta.fc24.noarch
pulp-selinux-2.10.0-0.4.beta.fc24.noarch
pulp-server-2.10.0-0.4.beta.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.0-0.4.beta.fc24.noarch
python-pulp-client-lib-2.10.0-0.4.beta.fc24.noarch
python-pulp-common-2.10.0-0.4.beta.fc24.noarch
python-pulp-docker-common-2.1.0-0.2.beta.fc24.noarch
python-pulp-oid_validation-2.10.0-0.4.beta.fc24.noarch
python-pulp-ostree-common-1.1.3-1.fc24.noarch
python-pulp-puppet-common-2.10.0-0.1.beta.fc24.noarch
python-pulp-python-common-1.1.3-1.fc24.noarch
python-pulp-repoauth-2.10.0-0.4.beta.fc24.noarch
python-pulp-rpm-common-2.10.0-0.4.beta.fc24.noarch
python-pulp-streamer-2.10.0-0.4.beta.fc24.noarch

#36 Updated by semyers about 5 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#38 Updated by bmbouter over 3 years ago

  • Sprint set to Sprint 4

#39 Updated by bmbouter over 3 years ago

  • Sprint/Milestone deleted (22)

#40 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF