Skip to content

Fetch signing key fingerprints directly from package signatures#4370

Open
dralley wants to merge 10 commits into
pulp:mainfrom
dralley:parse-signatures
Open

Fetch signing key fingerprints directly from package signatures#4370
dralley wants to merge 10 commits into
pulp:mainfrom
dralley:parse-signatures

Conversation

@dralley
Copy link
Copy Markdown
Contributor

@dralley dralley commented Mar 12, 2026

📜 Checklist

  • Commits are cleanly separated with meaningful messages (simple features and bug fixes should be squashed to one commit)
  • A changelog entry or entries has been added for any significant changes
  • Follows the Pulp policy on AI Usage
  • (For new features) - User documentation and test coverage has been added

See: Pull Request Walkthrough

@dralley dralley force-pushed the parse-signatures branch 5 times, most recently from 803c984 to 51f5696 Compare March 12, 2026 21:26
@dralley dralley force-pushed the parse-signatures branch 2 times, most recently from e3e1f53 to d3590c1 Compare April 20, 2026 15:45
@dralley dralley force-pushed the parse-signatures branch 5 times, most recently from 85d2e89 to 82237dd Compare May 1, 2026 15:12
@github-actions github-actions Bot added the multi-commit Added when a PR consists of more than one commit label May 5, 2026
@dralley dralley force-pushed the parse-signatures branch 13 times, most recently from 67b3ed3 to 0baa74d Compare May 7, 2026 15:17
@dralley dralley force-pushed the parse-signatures branch 2 times, most recently from 31142c9 to 8f3dbbd Compare May 14, 2026 15:42
@dralley dralley force-pushed the parse-signatures branch 6 times, most recently from 26e5746 to 15f79bf Compare May 14, 2026 18:14
@dralley dralley marked this pull request as ready for review May 14, 2026 18:15
dralley
dralley commented May 14, 2026
View reviewed changes
Comment thread pulp_rpm/app/shared_utils.py Outdated
return Path(copy_rpm)
path = Path(basedir) / "sample-rpm-0-0.x86_64.rpm"
pkg = rpm_rs.PackageBuilder("sample-rpm", "0", "Public Domain", "x86_64").build()
pkg.write_file(str(path))
Copy link
Copy Markdown
Contributor Author

@dralley dralley May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do this? Or should we just keep the sample package until we're fully committed?

Copy link
Copy Markdown
Member

@pedro-psb pedro-psb May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should do this.
The worst case we add it back, IHO it's not a big deal either.

@dralley dralley force-pushed the parse-signatures branch 2 times, most recently from 323c5dc to 826beab Compare May 14, 2026 18:20
pedro-psb
pedro-psb reviewed May 14, 2026
View reviewed changes
Comment thread pyproject.toml
Copy link
Copy Markdown
Member

@pedro-psb pedro-psb May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😎

@dralley dralley force-pushed the parse-signatures branch from a3608e2 to d511a49 Compare May 15, 2026 00:30
@dralley
Copy link
Copy Markdown
Contributor Author

dralley commented May 15, 2026
edited
Loading

Problem: rpm --import straight chokes on PGP keys generated by sequoia, because the version in RHEL 9 used its own implementation of PGP parsing (!!) that doesn't support subkeys at all apparently, or some capability flags.

Thus, these tests will fail unless we either:

A) disable them
B) update the CI to EL10
C) just use the legacy PGP keys for all the tests because that is all that EL9's RPM can process
D) just use rpm-rs pretty much everywhere in the tests and delete what remains of the RpmTool class

I'm working on A no matter what we choose, but I'm not sure how soon we can switch over.

I decided to use rpm-rs for verifying the signing service, because that step was choking on rpm --import despite actually being able to sign the packages perfectly fine. So RpmTool is now only used in the tests.

Question: should we delete RpmTool entirely to unblock this? Or, do we find it worthwhile to have some tests that use the rpm and gpg stack despite the usability challenges, and we'd rather go with option A or B?

@dralley
Copy link
Copy Markdown
Contributor Author

dralley commented May 15, 2026

Adding a commit with D just for demonstrative purposes, we don't have to merge it

@dralley dralley force-pushed the parse-signatures branch 3 times, most recently from 74d56e5 to 4e3ce01 Compare May 15, 2026 15:19
dralley added 10 commits May 15, 2026 13:31
@dralley
Parse signatures with rpm_rs
3d44420 
closes pulp#4458
Assisted-By: claude-opus-4.6
@dralley
Delete sample-rpm pkg used for verification purposes
bacd822
@dralley
Add data repair management command for updating the signing keys
9c1962a 
Assisted-By: claude-opus-4.6
@dralley
Clean up old signing key fixtures and constants
8b6727f 
Take account of the fact that signing key != primary key fingerprint

Assisted-By: claude-opus-4.6
@dralley
Add a test which shows an issue with signing_keys
fe30278 
Assisted-By: claude-opus-4.6
@dralley
Validate the signed package using rpm_rs
7a01036 
Older versions of RPM are terrible at dealing with subkeys. `rpm
--import` does not work on RHEL 9 if the key includes subkeys. Hence,
validate() fails, even though signing succeeds.
@dralley
Clean up RpmTool
6090f4f
@dralley
Move RpmTool to tests entirely
3755ff2 
It's no longer used in pulp_rpm proper
@dralley
Remove RpmTool, use rpm-rs for all verification in tests
155d4ed 
Assisted-By: claude-opus-4.6
@dralley
Fix test expectations
278d17e
@dralley dralley force-pushed the parse-signatures branch from 4e3ce01 to 278d17e Compare May 15, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedro-psb pedro-psb pedro-psb left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

multi-commit Added when a PR consists of more than one commit no-changelog no-issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dralley @pedro-psb