Story #1156
closedAs a user, I can have an "signature" attribute stored for RPMs, SRPMs, and DRPMs
100%
Description
Pulp currently doesn't support the signature attribute for rpm, srpm, or drpm packages. When an RPM, SRPM, or DRPM is either uploaded or imported via sync, the signature should be extracted from the file and stored.
Where to store the attribute?
The NonMetadataPackage model is the ancestor of RPM, SRPM, and DRPM so the attribute should be stored there.
Suggested change is here: https://github.com/release-engineering/pulp_rpm/commit/f31f90d864fb884710d3da07a1b9644e98f04a53
This will allow further package verification process based on the signature which is story #1991. https://pulp.plan.io/issues/1991
We don't need all signature information header, but just the signing key, so more appropriate name for the attribute would be 'signing_key'
Related issues
Updated by ipanova@redhat.com over 9 years ago
- Project changed from Pulp to RPM Support
Updated by mhrivnak over 9 years ago
- Tracker changed from Issue to Story
- Subject changed from rpm should have "signature" attribute in metadata to As a user, i can see an rpm's "signature" attribute in metadata
- Groomed set to No
- Sprint Candidate set to Yes
Updated by dkliban@redhat.com over 8 years ago
This should be broken up in two stories.
1) Pulling out the signature from RPM on upload and storing the signature as a searchable field.
2) Verifying the signature during a publish and only including correctly signed RPMs
Updated by bmbouter over 8 years ago
- Related to Story #1991: As a user, uploaded units which don't pass the signature check are not imported added
Updated by bmbouter over 8 years ago
- Subject changed from As a user, i can see an rpm's "signature" attribute in metadata to As a user, I can have an rpm's "signature" attribute stored on the model
- Description updated (diff)
Updated by bmbouter over 8 years ago
What about other types like SRPM or DRPMs? This should be modeled on the right class which probably isn't RPM itself. This needs to be answered before continuing.
Updated by mhrivnak over 8 years ago
Probably "Yes" for all three. RPM and SRPM are practically the same thing, so we'll likely just put an attribute on RpmBase and put both models through the same code path to get the signature. DRPM might be a little different, but maybe not.
Updated by bmbouter over 8 years ago
- Subject changed from As a user, I can have an rpm's "signature" attribute stored on the model to As a user, I can have an "signature" attribute stored for RPMs and SRPMs
- Description updated (diff)
Updating to indicate we are doing this for RPM and SRPM.
Updated by bmbouter over 8 years ago
Also DRPM intherits through a different path so I had planned on not incorporating them in this way. What do you think?
Updated by mhrivnak over 8 years ago
Our RCM folks don't use DRPMs, so that's one factor. I suspect that it will be such little extra work to handle DRPMs while already doing SRPM and RPM, that it'll make sense to just get it all done at once. I found that to be the case with the checksum work recently. It could still be split out into a separate story if you prefer, but I'd lean toward adding a note to this issue to do DRPM as long as it's a no-brainer, and otherwise create a new story for it.
I do think that feature-wise, DRPMs should have the same gpg features as RPMs. Even if nobody is asking for it right now, the overall gpg story in pulp_rpm would be incomplete without it. So if we do defer that work, we should at least track it and try to prioritize it in the future.
Updated by bmbouter over 8 years ago
- Subject changed from As a user, I can have an "signature" attribute stored for RPMs and SRPMs to As a user, I can have an "signature" attribute stored for RPMs, SRPMs, and DRPMs
- Description updated (diff)
Let's include DRPMs, I've updated the story to match.
Updated by mhrivnak over 8 years ago
- Groomed changed from No to Yes
Sounds good. I suggest storing the signature on NonMetadataPackage. Eventually, when we model individual files in the platform, it will likely make sense to move the signature there. While accessing a signature is highly dependent on the kind of content, using it should be generic. It's actually a lot like a checksum. Figuring out where to get it is type-specific, but storing and using it works the same.
Updated by bmbouter over 8 years ago
- Related to deleted (Story #1991: As a user, uploaded units which don't pass the signature check are not imported)
Updated by bmbouter over 8 years ago
- Blocks Story #1991: As a user, uploaded units which don't pass the signature check are not imported added
Updated by bmbouter over 8 years ago
- Description updated (diff)
Updating to recommend the NonMetadataPackage as the place to store this attribute.
Updated by ipanova@redhat.com over 8 years ago
- Assignee set to ipanova@redhat.com
Updated by ipanova@redhat.com over 8 years ago
- Status changed from ASSIGNED to POST
Added by ipanova@redhat.com over 8 years ago
Updated by ipanova@redhat.com over 8 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset 710416694a75585670548c9613ba0420d00acc1a.
Updated by Ichimonji10 over 8 years ago
- Status changed from 5 to ASSIGNED
This feature seems to be implemented, except that Pulp names the attribute "signing_key," not "signature."
Updated by Ichimonji10 over 8 years ago
To clarify, here's an example of a single result returned by a call to POST /{repository_href}/search/units/
. Notice the obj['metadata']['signing_key']
attribute.
{'_id': {'$oid': '57acac7c189c7a1b5fa56e3c'},
'created': '2016-08-11T16:49:00Z',
'metadata': {'_content_type_id': 'srpm',
'_id': 'b266b670-644c-4b43-b866-5843243e010a',
'_last_updated': 1470934140,
'_ns': 'units_srpm',
'_storage_path': '/var/lib/pulp/content/units/srpm/01/d3b1d5e32fae6b044e0c07529c763bea083f387c245da1b106e96599197319/78459f5c-cb18-40e1-a912-ef8cdd6b67ea',
'arch': 'src',
'build_time': 1331302125,
'buildhost': 'localhost',
'changelog': [],
'checksum': 'f9d40aa83892c5da05e5b94d8428ff744c27bfad363f31c18454ca797e8306cc',
'checksums': {'md5': 'e5213cb8f1c75a638763f209324e72de',
'sha1': '6412b4b2113eb40c964dc3325d8e23bce853f8e7',
'sha256': 'f9d40aa83892c5da05e5b94d8428ff744c27bfad363f31c18454ca797e8306cc'},
'checksumtype': 'sha256',
'description': '\nThis is a test rpm',
'downloaded': True,
'epoch': '0',
'filename': 'test-srpm02-1.0-1.src.rpm',
'files': {},
'header_range': {},
'license': 'GPLv2',
'name': 'test-srpm02',
'provides': [],
'pulp_user_metadata': {},
'relativepath': 'test-srpm02-1.0-1.src.rpm',
'release': '1',
'release_sort_index': '01-1',
'repodata': {'filelists': '…',
'other': '…',
'primary': '…'},
'requires': [],
'signing_key': '269d9d98',
'time': 1470934139,
'version': '1.0',
'version_sort_index': '01-1.01-0'},
'repo_id': '8546305a-45d4-4b9d-beef-d4fd6b70d639',
'unit_id': 'b266b670-644c-4b43-b866-5843243e010a',
'unit_type_id': 'srpm',
'updated': '2016-08-11T16:49:00Z'}
Updated by ipanova@redhat.com over 8 years ago
Ichimonji10 wrote:
This feature seems to be implemented, except that Pulp names the attribute "signing_key," not "signature."
We renamed that to signing_key because we thought that this name would be more appropriate
Updated by Ichimonji10 over 8 years ago
I want to make sure there's an explicit acknowledgement from the dev side that the solution as implemented is different from what's asked for in the requirements, above. If y'all are OK with it, then I'm OK with it.
Updated by Ichimonji10 over 8 years ago
- Status changed from 5 to 6
Verified against a Pulp 2.10.0 system provisioned this morning.
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ python -m unittest2 pulp_smash.tests.rpm.api_v2.test_signatures_saved_for_packages
.......s..
----------------------------------------------------------------------
Ran 10 tests in 165.197s
OK (skipped=1)
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ git grep 1156
pulp_smash/tests/rpm/api_v2/test_signatures_saved_for_packages.py:* `Pulp #1156 <https://pulp.plan.io/issues/1156>`_
pulp_smash/tests/rpm/api_v2/test_signatures_saved_for_packages.py: if selectors.bug_is_untestable(1156, cls.cfg.version):
pulp_smash/tests/rpm/api_v2/test_signatures_saved_for_packages.py: raise unittest2.SkipTest('https://pulp.plan.io/issues/1156')
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ ssh $hostname rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.0-0.4.beta.fc24.noarch
pulp-docker-admin-extensions-2.1.0-0.2.beta.fc24.noarch
pulp-docker-plugins-2.1.0-0.2.beta.fc24.noarch
pulp-ostree-admin-extensions-1.1.3-1.fc24.noarch
pulp-ostree-plugins-1.1.3-1.fc24.noarch
pulp-puppet-admin-extensions-2.10.0-0.1.beta.fc24.noarch
pulp-puppet-plugins-2.10.0-0.1.beta.fc24.noarch
pulp-python-admin-extensions-1.1.3-1.fc24.noarch
pulp-python-plugins-1.1.3-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.0-0.4.beta.fc24.noarch
pulp-rpm-plugins-2.10.0-0.4.beta.fc24.noarch
pulp-selinux-2.10.0-0.4.beta.fc24.noarch
pulp-server-2.10.0-0.4.beta.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.0-0.4.beta.fc24.noarch
python-pulp-client-lib-2.10.0-0.4.beta.fc24.noarch
python-pulp-common-2.10.0-0.4.beta.fc24.noarch
python-pulp-docker-common-2.1.0-0.2.beta.fc24.noarch
python-pulp-oid_validation-2.10.0-0.4.beta.fc24.noarch
python-pulp-ostree-common-1.1.3-1.fc24.noarch
python-pulp-puppet-common-2.10.0-0.1.beta.fc24.noarch
python-pulp-python-common-1.1.3-1.fc24.noarch
python-pulp-repoauth-2.10.0-0.4.beta.fc24.noarch
python-pulp-rpm-common-2.10.0-0.4.beta.fc24.noarch
python-pulp-streamer-2.10.0-0.4.beta.fc24.noarch
Updated by semyers over 8 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
"signature" is stored for RPMs, SRPMs, and DRPMs.
closes #1156 https://pulp.plan.io/issues/1156
During upload or sync of a package, the signature is extracted from the package header and is stored as an attribute for rpms/srpms/drms.