Issue #2188
closedMake GPG signature checking is called "filtering"
Description
2.10 introduces a new feature which has been referred to as "GPG Signature Verification". The actual behavior of this feature is more along the lines of "GPG Signing Key ID Filtering"; actual gpg signatures are never verified. It needs to be made very clear in our documentation that the feature as it exists does not improve security of packages in pulp.
The changes related to this issue will most likely be grafted into the 2.10.0 release candidate, so they must consist of documentation changes only.
Related issues
Updated by mhrivnak over 8 years ago
- Related to Story #1991: As a user, uploaded units which don't pass the signature check are not imported added
Updated by semyers over 8 years ago
- Status changed from ASSIGNED to POST
After digging into this a little deeper, I concluded that this change couldn't easily be done as a docs-only fix.
The PR is up for review: https://github.com/pulp/pulp_rpm/pull/961
Added by semyers over 8 years ago
Updated by semyers over 8 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset 409687edaa792427c7876c815d517b66f05fe25d.
Updated by semyers over 8 years ago
- Subject changed from Fix references to GPG Signature Verification in 2.10 to Make GPG signature checking is called "filtering"
Updated by semyers over 8 years ago
- Status changed from 6 to MODIFIED
Applied in changeset a2aa335892d10b2fab20650d70b89ef0e15186eb.
Updated by semyers over 8 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
Reclassify signature verification as signature and key ID filtering
The features introduced in #1991 (https://pulp.plan.io/issues/1991) only act as filters based on whether or not a package is signed, and the short key ID of the key used to generate that signature. This changes any reference to "verification" introduced with those changes to "GPG Key ID filtering", and in general attempted to clarify that this is not a security feature, while still leaving it possible to (hopefully) do GPG package signature verification in a future version.
fixes #2188 https://pulp.plan.io/issues/2188