Have RPM package signing use rpm_package location #4188
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
daviddavis
changed the title
daviddavis
changed the title
daviddavis
force-pushed
the
patch-1
branch
3 times, most recently
from
a0dea1a to
699ceec
Compare
daviddavis
changed the title
daviddavis
changed the title
The package signing code in pulp_rpm expects the signing service to return the file path as "rpm_package" but it doesn't look like it uses it. Instead, it expects the original file to be signed. This is sort of at odds with how package signing works since it uses the "signature" value returns by the signing service. Even pulp_deb which has files with embedded signatures does this. I think that pulp_rpm expects users to be using rpmsign which signs the file in place and thus using the original file path location makes sense. But this is not true for us. We hand the rpm file over to a service to be signed, and then the file is returned via an API call and stored at a new location. Using "rpm_package" instead of expecting the original file to be signed would give users greater flexibility. Users can still update the existing file if they choose to and just return the original file path as "rpm_package". I also think that using "rpm_package" is more consistent with how metadata signing works as well. fixes pulp#4189
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The package signing code in pulp_rpm expects the signing service to return the file path as "rpm_package" but it doesn't look like it uses it. Instead, it expects the original file to be signed. This is sort of at odds with how package signing works since it uses the "signature" value returns by the signing service. Even pulp_deb which has files with embedded signatures does this.
I think that pulp_rpm expects users to be using rpmsign which signs the file in place and thus using the original file path location makes sense. But this is not true for us. We hand the rpm file over to a service to be signed, and then the file is returned via an API call and stored at a new location.
Using "rpm_package" instead of expecting the original file to be signed would give users greater flexibility. Users can still update the existing file if they choose to and just return the original file path as "rpm_package". I also think that using "rpm_package" is more consistent with how metadata signing works as well.
fixes #4189