Actions
Issue #2188
closed
Make GPG signature checking is called "filtering"
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.10.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Sprint 7
Quarter:
Description
2.10 introduces a new feature which has been referred to as "GPG Signature Verification". The actual behavior of this feature is more along the lines of "GPG Signing Key ID Filtering"; actual gpg signatures are never verified. It needs to be made very clear in our documentation that the feature as it exists does not improve security of packages in pulp.
The changes related to this issue will most likely be grafted into the 2.10.0 release candidate, so they must consist of documentation changes only.
Related issues
Actions
.
Reclassify signature verification as signature and key ID filtering
The features introduced in #1991 (https://pulp.plan.io/issues/1991) only act as filters based on whether or not a package is signed, and the short key ID of the key used to generate that signature. This changes any reference to "verification" introduced with those changes to "GPG Key ID filtering", and in general attempted to clarify that this is not a security feature, while still leaving it possible to (hopefully) do GPG package signature verification in a future version.
fixes #2188 https://pulp.plan.io/issues/2188