Project

Profile

Help

Issue #2188

closed

Make GPG signature checking is called "filtering"

Added by semyers over 7 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Assignee:
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.10.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Sprint 7
Quarter:

Description

2.10 introduces a new feature which has been referred to as "GPG Signature Verification". The actual behavior of this feature is more along the lines of "GPG Signing Key ID Filtering"; actual gpg signatures are never verified. It needs to be made very clear in our documentation that the feature as it exists does not improve security of packages in pulp.

The changes related to this issue will most likely be grafted into the 2.10.0 release candidate, so they must consist of documentation changes only.


Related issues

Related to RPM Support - Story #1991: As a user, uploaded units which don't pass the signature check are not importedCLOSED - CURRENTRELEASEipanova@redhat.com

Actions
Actions #1

Updated by mhrivnak over 7 years ago

  • Triaged changed from No to Yes
Actions #2

Updated by mhrivnak over 7 years ago

  • Related to Story #1991: As a user, uploaded units which don't pass the signature check are not imported added
Actions #3

Updated by mhrivnak over 7 years ago

  • Sprint/Milestone set to 25
Actions #4

Updated by semyers over 7 years ago

  • Status changed from ASSIGNED to POST

After digging into this a little deeper, I concluded that this change couldn't easily be done as a docs-only fix.

The PR is up for review: https://github.com/pulp/pulp_rpm/pull/961

Added by semyers over 7 years ago

Revision 409687ed | View on GitHub

Reclassify signature verification as signature and key ID filtering

The features introduced in #1991 (https://pulp.plan.io/issues/1991) only act as filters based on whether or not a package is signed, and the short key ID of the key used to generate that signature. This changes any reference to "verification" introduced with those changes to "GPG Key ID filtering", and in general attempted to clarify that this is not a security feature, while still leaving it possible to (hopefully) do GPG package signature verification in a future version.

fixes #2188 https://pulp.plan.io/issues/2188

Actions #5

Updated by semyers over 7 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #6

Updated by semyers over 7 years ago

  • Subject changed from Fix references to GPG Signature Verification in 2.10 to Make GPG signature checking is called "filtering"
Actions #7

Updated by semyers over 7 years ago

  • Status changed from MODIFIED to 5
Actions #8

Updated by pthomas@redhat.com over 7 years ago

  • Status changed from 5 to 6

verified

Actions #9

Updated by semyers over 7 years ago

  • Status changed from 6 to MODIFIED
Actions #10

Updated by semyers over 7 years ago

  • Status changed from MODIFIED to 5
Actions #11

Updated by pthomas@redhat.com over 7 years ago

  • Status changed from 5 to 6

verified

Actions #12

Updated by semyers over 7 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #14

Updated by bmbouter almost 6 years ago

  • Sprint set to Sprint 7
Actions #15

Updated by bmbouter almost 6 years ago

  • Sprint/Milestone deleted (25)
Actions #16

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF