Project

Profile

Help

Story #4812

As a user, I can publish a Yum repository that works with repo_gpgcheck=1 (Signed Repositories)

Added by dalley over 1 year ago. Updated 4 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:

Description

(Clone of Pulp 2 issue https://pulp.plan.io/issues/3055)

To allow a Yum repository to be used with Yum clients that have repo_gpgcheck=1 configured in /etc/yum.conf:

  1. Create a new GPG signing key that can be used by Pulp worker processes without a password. (Documentation provides example procedures.)
  2. Append the public key associated with the new GPG signing key to the gpgkey file specified in the distributor config for the Yum repository in Pulp.
  3. Set gpg_sign_metadata to True in the distributor config for the Yum repository in Pulp.

See also https://access.redhat.com/solutions/2850911

More detailed description from Neal Gompa (Conan_Kudo, Fedora contributor):

Signed repositories (for RPM repos) are when the `repomd.xml` file (the index file referencing all other parts of the RPM metadata) is signed using a GPG key (but does not necessarily have to be the same key as the packages, though usually is) in the form of a detached signature (`repomd.xml.asc`) that is placed next to the `repomd.xml` file. Package managers like DNF, Zypper, and YUM can use this when `repo_gpgcheck=1` is set in the .repo file to validate the XML before reading it. SUSE systems require this by default and will not normally fetch repos that are not signed. If the GPG key for the repository metadata differs from the packages' GPG key, its public key must also be present in the `gpgkey=` list in the .repo file.


Related issues

Related to Pulp - Story #7247: As a pulp_installer developer-user, the pulp_rpm signing service will be installed for meNEW

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision affb7d31 View on GitHub
Added by Lubos Mjachky 5 months ago

Publish a signed Yum repository if a signing service was attached

If a user creates a repository with a signing service, a publication will automatically contain a detached signature and a public key in addition. The detached signature and the public key are both used by a package manager in order to verify whether the repository is provided by a trusted authority or not.

closes #4812 https://pulp.plan.io/issues/4812

History

#1 Updated by dalley over 1 year ago

  • Tracker changed from Issue to Story
  • Subject changed from As a user, I can publish a Yum repository that works with repo_gpgcheck=1 to As a user, I can publish a Yum repository that works with repo_gpgcheck=1 (Signed Repositories)
  • Description updated (diff)
  • % Done set to 0

#2 Updated by dalley over 1 year ago

  • Description updated (diff)

#3 Updated by ttereshc 6 months ago

  • Sprint/Milestone set to Priority items (outside of planned milestones/releases)

#4 Updated by ttereshc 6 months ago

  • Priority changed from Normal to High

#5 Updated by lmjachky 5 months ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to lmjachky

#6 Updated by lmjachky 5 months ago

  • Status changed from ASSIGNED to POST

#7 Updated by Anonymous 5 months ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#8 Updated by dalley 4 months ago

  • Sprint/Milestone changed from Priority items (outside of planned milestones/releases) to Pulp RPM 3.3.0

#9 Updated by dalley 4 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

#10 Updated by mdepaulo@redhat.com 12 days ago

  • Related to Story #7247: As a pulp_installer developer-user, the pulp_rpm signing service will be installed for me added

Please register to edit this issue

Also available in: Atom PDF