Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #2188

closed

Make GPG signature checking is called "filtering"

Added by semyers over 7 years ago. Updated about 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Assignee:
semyers
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.10.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Sprint 7
Quarter:

Description

2.10 introduces a new feature which has been referred to as "GPG Signature Verification". The actual behavior of this feature is more along the lines of "GPG Signing Key ID Filtering"; actual gpg signatures are never verified. It needs to be made very clear in our documentation that the feature as it exists does not improve security of packages in pulp.

The changes related to this issue will most likely be grafted into the 2.10.0 release candidate, so they must consist of documentation changes only.

Related issues

Related to RPM Support - Story #1991: As a user, uploaded units which don't pass the signature check are not importedCLOSED - CURRENTRELEASEipanova@redhat.com

Actions
Actions
Copy link
 #1

Updated by mhrivnak over 7 years ago

  • Triaged changed from No to Yes
Actions
Copy link
 #2

Updated by mhrivnak over 7 years ago

  • Related to Story #1991: As a user, uploaded units which don't pass the signature check are not imported added
Actions
Copy link
 #3

Updated by mhrivnak over 7 years ago

  • Sprint/Milestone set to 25
Actions
Copy link
 #4

Updated by semyers over 7 years ago

  • Status changed from ASSIGNED to POST

After digging into this a little deeper, I concluded that this change couldn't easily be done as a docs-only fix.

The PR is up for review: https://github.com/pulp/pulp_rpm/pull/961

Added by semyers over 7 years ago

Revision 409687ed | View on GitHub

Reclassify signature verification as signature and key ID filtering

The features introduced in #1991 (https://pulp.plan.io/issues/1991) only act as filters based on whether or not a package is signed, and the short key ID of the key used to generate that signature. This changes any reference to "verification" introduced with those changes to "GPG Key ID filtering", and in general attempted to clarify that this is not a security feature, while still leaving it possible to (hopefully) do GPG package signature verification in a future version.

fixes #2188 https://pulp.plan.io/issues/2188

Actions
Copy link
 #5

Updated by semyers over 7 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions
Copy link
 #6

Updated by semyers over 7 years ago

  • Subject changed from Fix references to GPG Signature Verification in 2.10 to Make GPG signature checking is called "filtering"
Actions
Copy link
 #7

Updated by semyers over 7 years ago

  • Status changed from MODIFIED to 5
Actions
Copy link
 #8

Updated by pthomas@redhat.com over 7 years ago

  • Status changed from 5 to 6

verified

Actions
Copy link
 #9

Updated by semyers over 7 years ago

  • Status changed from 6 to MODIFIED
Actions
Copy link
 #10

Updated by semyers over 7 years ago

  • Status changed from MODIFIED to 5
Actions
Copy link
 #11

Updated by pthomas@redhat.com over 7 years ago

  • Status changed from 5 to 6

verified

Actions
Copy link
 #12

Updated by semyers over 7 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions
Copy link
 #14

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 7
Actions
Copy link
 #15

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (25)
Actions
Copy link
 #16

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added
Actions
Send by e-mail Copy link

Also available in: Atom PDF