Project

Profile

Help

Issue #9206

Updated by fao89 almost 3 years ago

 

 **Ticket moved to GitHub**: "pulp/pulp_rpm/2291":https://github.com/pulp/pulp_rpm/issues/2291 




 ---- 


 In Pulp2, if a repo has repodata signing enabled via gpg_sign_metadata: true, and also has sqlite enabled via generate_sqlite: true, then the published signatures are invalid. 

 ## Steps to reproduce 

 - Enable GPG signing of repodata for a repo, with valid setup, per https://docs.pulpproject.org/en/2.21/plugins/pulp_rpm/tech-reference/yum-plugins.html#gpg-signing-of-repository-metadata 
 - Enable sqlite generation for a repo by setting generate_sqlite: true. 
 - Publish repo. 
 - Download repomd.xml, repomd.xml.asc and attempt to verify the signature. 

 ## Actual behavior 

 Signature verification fails. 

 ## Expected behavior 

 Signature verification succeeds. 

 ## Additional info 

 It's broken because the signing occurs on an intermediate version of repomd.xml rather than the final form. 

 It can be easily observed by inspection of the publish steps in BaseYumRepoPublisher: https://github.com/pulp/pulp_rpm/blob/5c5a7dcc058b29d89b3a913d29cfcab41db96686/plugins/pulp_rpm/plugins/distributors/yum/publish.py#L46 

 Here's the last few steps of that publisher, with added comments: 

 ~~~ 
         self.add_child(PublishModulesStep()) 
         self.add_child(PublishCompsStep()) 
         self.add_child(PublishMetadataStep()) 
         self.add_child(CloseRepoMetadataStep())    # finalizes repomd.xml and creates repomd.xml.asc 
         self.add_child(GenerateSqliteForRepoStep(self.get_working_dir()))    # rewrites repomd.xml to add sqlite, invalidating signature 
         self.add_child(RemoveOldRepodataStep()) 
 ~~~ 

 Though CloseRepoMetadataStep treats repomd.xml as "final" and ready for signing, if generate_sqlite is enabled then the very next step will overwrite repomd.xml with different content (generated by sqliterepo_c command) and will not redo the signing, meaning the signature will never be correct. 

Back