Replace custom OpenPGP packet parsing with pysequoia #7433
Replace custom OpenPGP packet parsing with pysequoia #7433
Conversation
|
@mdellweg @gerrod3 This is first draft quality, I have not thoroughly reviewed this. But let me know what you think, and feel free to look at the pysequoia PR as well. I will note, that I don't think pysequoia actually supports PQC yet (the patches exist but aren't merged yet, I think RH is applying them downstream in places). So we will need to make sure that it's not doing "too much" validation Requires wiktor-k/pysequoia#61 |
dralley
force-pushed
the
use-pysequoia
branch
4 times, most recently
from
a4007d3 to
ccf9278
Compare
dralley
changed the title
| "raw_data": body, | ||
| "created": packet.signature_created, | ||
| } | ||
| # Note: Pulp's concept of "expiration time" is a duration starting at creation time |
There was a problem hiding this comment.
Oh it should have been expiration date?
"time" really is ambiguous.
There was a problem hiding this comment.
TBF, pulp is using the terminology that was defined in the spec, so it was "correct", it's just that the terminology in the spec was ambiguous.
https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-expiration-time
Opinions probably differ whether Sequoia providing expiration_time as something else is a good idea. Less ambiguous wording, but a bit confusing when it comes to the spec.
dralley
force-pushed
the
use-pysequoia
branch
3 times, most recently
from
56bd4a3 to
4441274
Compare
dralley
force-pushed
the
use-pysequoia
branch
2 times, most recently
from
38ee7d1 to
a234584
Compare
Generated-By: claude-opus-4.6
dralley
force-pushed
the
use-pysequoia
branch
2 times, most recently
from
e232d0d to
9827fcc
Compare
pulpcore/pytest_plugin.py
Outdated
| return gpg, fingerprint, keyid | ||
| return cert, fingerprint, keyid |
There was a problem hiding this comment.
Is anything outside of pulpcore using this fixture?
There was a problem hiding this comment.
Looks like yes https://github.com/search?q=org%3Apulp%20signing_gpg_metadata&type=code
pulp_container and pulp_deb at least, pulp_rpm looks like it might have a copy of an identical name
There was a problem hiding this comment.
Looks like pulp_deb's use is only interested in the third argument (keyid).
But Container uses the gpghome from the first one you change. We need to address that first I think.
There was a problem hiding this comment.
I updated with another compatibility shim.
| keyid = fingerprint[-16:] | ||
|
|
||
| gpg.trust_keys(fingerprint, "TRUST_ULTIMATE") | ||
| gpg_cmd = ["gpg", "--homedir", str(signing_gpg_homedir_path)] |
There was a problem hiding this comment.
Is this now using sequoia too, depending on the actual binary installed?
There was a problem hiding this comment.
It's using whichever utility is behind the command named gpg, which AFAIK is still just gpg. I don't think RHEL 10 is using a replacement under the gpg name
pulpcore/app/util.py
Outdated
| self.pubkey_fingerprint = vs.certificate.upper() | ||
| self.key_id = vs.signing_key[-16:].upper() | ||
| self.username = "" | ||
| else: |
There was a problem hiding this comment.
What does this branch mean? Can a signature be valid when there are no signatures at all?
There was a problem hiding this comment.
I believe you are correct, it's dead code. Removed
| ) | ||
|
|
||
| gpg = gnupg.GPG(gnupghome=options["gnupghome"], keyring=options["keyring"]) | ||
| gpg_cmd = ["gpg"] |
There was a problem hiding this comment.
Wouldn't we need this to use sequoia too in order to handle all the new algorithms and keyfile formats?
There was a problem hiding this comment.
Even sequoia doesn't "support" them yet because the IETF draft isn't final yet. You have to install a special build to get them. So it's out of scope for now. At some point, probably, but even then it might be a host-dependent thing.
dralley
force-pushed
the
use-pysequoia
branch
2 times, most recently
from
1d855c0 to
731c4ce
Compare
mdellweg
left a comment
mdellweg
left a comment
There was a problem hiding this comment.
One last suggestion.
You can also ignore...
Use pysequoia instead, or shell out to gpg on the command line, which is what python-gnupg does anyway. It's not much additional code to just ditch the dependency everywhere. Assisted-By: claude-opus-4.6
2 participants
📜 Checklist
See: Pull Request Walkthrough