Project

Profile

Help

Story #7820

closed

Task #9105: [EPIC] Signing and signature verification

As a user, Pulp is able to verify package signatures, and reject unsigned or invalidly-signed packages

Added by mped about 2 years ago. Updated about 1 year ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:
Q4-2021

Description

Ticket moved to GitHub: "pulp/pulp_rpm/2258":https://github.com/pulp/pulp_rpm/issues/2258


In Pulp2 when carrying out a synchronisation it is possible to add the flag --require-signature, to ensure that synched packages are signed, please can this feature be added to Pulp3.

Additionally please can support for allowed-keys also be included.

Thanks

Matt


Related issues

Has duplicate RPM Support - Story #8523: When syncing content from a remote, GPG signatures are checkedCLOSED - DUPLICATE

Actions
Actions #1

Updated by ggainey about 2 years ago

This would be an attribute at the repository-level, and would apply to copy and upload operations as well as sync.

A thought - What happens if you turn it on when there is already unsigned content in the repo? (allow? fail with error?)

@mped - how critical is this for you? Does it, for example, block moving to Pulp3?

Actions #2

Updated by mped about 2 years ago

Hi ggainey,

This will block us moving to Pulp3 however we are still quite a few months away from that migration, until some other features of Pulp3 mature and are no longer in techpreview, so it isn't critical for us at the moment. It is more we have come across a need to turn it on one of our Pulp2 repos, so just need to know the feature will eventually make it Pulp 3.

One thought around turning it on with a repo with already unsigned content is are you able to warn that this is the case, and then the end user can chose if they want to have those content units removed, or even allow the user to specify they should be removed if unisgned units exist?

Thanks

Matt

Actions #3

Updated by dalley over 1 year ago

  • Has duplicate Story #8523: When syncing content from a remote, GPG signatures are checked added
Actions #4

Updated by dalley over 1 year ago

We should take a look at verifying metadata signatures as well.

Actions #5

Updated by dalley over 1 year ago

  • Quarter set to Q4-2021
Actions #6

Updated by dalley over 1 year ago

  • Parent task set to #9105
Actions #7

Updated by dalley over 1 year ago

  • Subject changed from As a user I can specify the synched packages must be signed to As a user, Pulp is able to verify package signatures, and reject unsigned or invalidly-signed packages
Actions #8

Updated by pulpbot about 1 year ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF