[Pulp-list] GPG Keys (review)

Jeff Ortel jortel at redhat.com
Tue Oct 12 15:42:21 UTC 2010 

All,

I added support for GPG keys as follows.  I made some assumptions on the user case(s) so, 
I'd appreciate a sanity check.

* Added 'gpgkeys=[]' to the model and exposed through WS.  This contains
   the actual GPG key and not a URL to a file stored on the server.  Didn't
   see any point to making this complicated.

* Added --gpgkeys option to the 'repo update' command.

    Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys
        pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt
        pulp-admin repo update --id=myrepo --gpgkeys=  # clear the keys

    Where /tmp/mykeys contains files containing keys that are uploaded and
    stored in mongodb in the repo object.

* Updated the RepoLib in the Agent to:

   - Download GPG keys for each subscribed repo(s) into /etc/pki/rpm-gpg/pulp/<repo>

       Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary
                 /etc/pki/rpm-gpg/pulp/myrepo/alt-1
                 /etc/pki/rpm-gpg/pulp/myrepo/alt-2
                 ....

   - Include gpgkeys in the repo definition in pulp.repo.

      Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary
                 file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1
                 file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2

* Locally stored keys no longer associated with a pulp repo are removed.  That is,
   /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed.  Also,
   unreferenced keys are cleaned up.

As of now keys --gpgkeys can contain a comma separated list of files and/or directories. 
When directories are listed, all of the files in directories are considered to be GPG keys 
and uploaded.

The GPG keys are set in the pulp.repo files in the order stored in the domain model.  By 
convention, The first key in the list is stored in the file named 'primary' and all the 
others are stored in files named 'alt-N'.  There is not real significance to the file 
naming.  I just did it this way for readability and consistency with fedora key naming.

Comments?

-jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5126 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20101012/f30383d5/attachment.p7s>

More information about the Pulp-list mailing list