Project

Profile

Help

Issue #9206

closed

Repodata signing is broken if sqlite is enabled

Added by rmcgover over 3 years ago. Updated almost 3 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.21.1
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 111
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_rpm/2291":https://github.com/pulp/pulp_rpm/issues/2291


In Pulp2, if a repo has repodata signing enabled via gpg_sign_metadata: true, and also has sqlite enabled via generate_sqlite: true, then the published signatures are invalid.

Steps to reproduce

Actual behavior

Signature verification fails.

Expected behavior

Signature verification succeeds.

Additional info

It's broken because the signing occurs on an intermediate version of repomd.xml rather than the final form.

It can be easily observed by inspection of the publish steps in BaseYumRepoPublisher: https://github.com/pulp/pulp_rpm/blob/5c5a7dcc058b29d89b3a913d29cfcab41db96686/plugins/pulp_rpm/plugins/distributors/yum/publish.py#L46

Here's the last few steps of that publisher, with added comments:

        self.add_child(PublishModulesStep())
        self.add_child(PublishCompsStep())
        self.add_child(PublishMetadataStep())
        self.add_child(CloseRepoMetadataStep())  # finalizes repomd.xml and creates repomd.xml.asc
        self.add_child(GenerateSqliteForRepoStep(self.get_working_dir()))  # rewrites repomd.xml to add sqlite, invalidating signature
        self.add_child(RemoveOldRepodataStep())

Though CloseRepoMetadataStep treats repomd.xml as "final" and ready for signing, if generate_sqlite is enabled then the very next step will overwrite repomd.xml with different content (generated by sqliterepo_c command) and will not redo the signing, meaning the signature will never be correct.

Actions #1

Updated by dalley over 3 years ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 102
Actions #2

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 102 to Sprint 103
Actions #3

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 103 to Sprint 104
Actions #4

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 104 to Sprint 105
Actions #5

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 105 to Sprint 106
Actions #6

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 106 to Sprint 107
Actions #7

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 107 to Sprint 108
Actions #8

Updated by dalley about 3 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dalley
Actions #9

Updated by pulpbot about 3 years ago

  • Status changed from ASSIGNED to POST
Actions #10

Updated by dalley about 3 years ago

[vagrant@pulp2 pulp_rpm]$ git status
# On branch 2-master
nothing to commit, working directory clean
[vagrant@pulp2 pulp_rpm]$ prestart
[vagrant@pulp2 pulp_rpm]$ pulp-admin rpm repo publish run --repo-id test1 --force-full

<omitted>
...
...

Task Succeeded

[vagrant@pulp2 pulp_rpm]$ sudo gpg --verify /var/lib/pulp/published/yum/https/repos/test1/repodata/repomd.xml.asc /var/lib/pulp/published/yum/https/repos/test1/repodata/repomd.xml                                                           
gpg: Signature made Mon 01 Nov 2021 02:24:54 PM UTC using RSA key ID 52A922D7
gpg: BAD signature from "dalley <dalley@redhat.com>"


< checkout branch with fix >

[vagrant@pulp2 pulp_rpm]$ git status
# On branch fix-signing-pulp2
nothing to commit, working directory clean
[vagrant@pulp2 pulp_rpm]$ prestart
[vagrant@pulp2 pulp_rpm]$ pulp-admin rpm repo publish run --repo-id test1 --force-full

<omitted>
...
...

Task Succeeded

[vagrant@pulp2 pulp_rpm]$ sudo gpg --verify /var/lib/pulp/published/yum/https/repos/test1/repodata/repomd.xml.asc /var/lib/pulp/published/yum/https/repos/test1/repodata/repomd.xml
gpg: Signature made Mon 01 Nov 2021 02:25:55 PM UTC using RSA key ID 52A922D7
gpg: Good signature from "dalley <dalley@redhat.com>"

Actions #11

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 108 to Sprint 109
Actions #12

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 109 to Sprint 110
Actions #13

Updated by rchan almost 3 years ago

  • Sprint changed from Sprint 110 to Sprint 111
Actions #14

Updated by fao89 almost 3 years ago

  • Description updated (diff)
  • Status changed from POST to CLOSED - DUPLICATE

Also available in: Atom PDF