[Pulp-list] GPG Keys (review)
Jeff Ortel
jortel at redhat.com
Tue Oct 12 17:14:18 UTC 2010
On 10/12/2010 11:33 AM, Jason Dobies wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> All,
>>
>> I added support for GPG keys as follows. I made some assumptions on the
>> user case(s) so, I'd appreciate a sanity check.
>>
>> * Added 'gpgkeys=[]' to the model and exposed through WS. This contains
>> the actual GPG key and not a URL to a file stored on the server. Didn't
>> see any point to making this complicated.
>
> +1, these are easy enough to just stuff in the DB.
>
>> * Added --gpgkeys option to the 'repo update' command.
>>
>> Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys
>> pulp-admin repo update --id=myrepo
>> --gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt
>> pulp-admin repo update --id=myrepo --gpgkeys= # clear the keys
>
> Not a huge fan of the clear syntax, but I like the idea that we don't
> have fine grained add/remove keys commands. They'd really overcomplicate
> the interface for something that won't be dorked with all that regularly.
Agreed. The clear syntax seemed a little wonky but didn't want to add a done of syntax
just to support and edge case.
>
>> Where /tmp/mykeys contains files containing keys that are uploaded and
>> stored in mongodb in the repo object.
>>
>> * Updated the RepoLib in the Agent to:
>>
>> - Download GPG keys for each subscribed repo(s) into
>> /etc/pki/rpm-gpg/pulp/<repo>
>>
>> Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary
>> /etc/pki/rpm-gpg/pulp/myrepo/alt-1
>> /etc/pki/rpm-gpg/pulp/myrepo/alt-2
>> ....
>>
>> - Include gpgkeys in the repo definition in pulp.repo.
>>
>> Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary
>> file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1
>> file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2
>
> What happens if:
> - - Repo is created with key A
> - - User binds to repo
> - - Repo is updated to not have key A but instead key B?
>
> I'm guessing the user will have to re-run bind, which will sync down the
> keys all over again?
Yeah, this is a hole. I'm thinking we need the API to (asynchronously) request all bound
consumers to update the .repo whenever a repo is updated[1]. Or, the API could only do
this when a field changes that affects the .repo file.
Thoughts?
[1] ConsumerApi.update()
>
>> * Locally stored keys no longer associated with a pulp repo are
>> removed. That is,
>> /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed.
>> Also,
>> unreferenced keys are cleaned up.
>
> I really need to read before I start to comment. I had just outlined a
> scenario where we could have an orphaned key and then I see that you
> clean up unreferenced keys.
>
> My only question here is "when?" Is everything in the above snippet done
> on the bind for that repo?
Basically, any bind or unbind causes the .repo file to be completely reconfigured. During
this, the GPG keys will be downloaded, updated, deleted as needed.
>
>> As of now keys --gpgkeys can contain a comma separated list of files
>> and/or directories. When directories are listed, all of the files in
>> directories are considered to be GPG keys and uploaded.
>
> Slick.
>
>> The GPG keys are set in the pulp.repo files in the order stored in the
>> domain model. By convention, The first key in the list is stored in the
>> file named 'primary' and all the others are stored in files named
>> 'alt-N'. There is not real significance to the file naming. I just did
>> it this way for readability and consistency with fedora key naming.
>
> I like the convention too, since it keeps us from having an overly
> complicated CLI that has to explicitly indicate one as primary. If they
> are using multiple keys, they'll get the concept of primary v. auxiliary
> and should pick this up fine.
>
>> Comments?
>
> That was fast to implement this. I think the lesson learned here is that
> Disney vacations result in high productivity and we should be able to
> get them reimbursed.
+1
>
>> -jeff
>>
>>
>>
>> _______________________________________________
>> Pulp-list mailing list
>> Pulp-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-list
>
>
> - --
> Jason Dobies
> RHCE# 805008743336126
> Freenode: jdob
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJMtI3wAAoJEOMmcTqOSQHCLRsH/2lF4zV4r2ZZzoD0QLp47Qqy
> BDp7F7U7xV9rvHcQ3nrFfUg8z6/ZgF1k58QlIkfgguqv3xPUnMkYleYnDqYLJ7Hv
> OYQ34E02yj7KaN071bOuXmMPO339/XWqB3PSLnVv1bcQh2efm/5OAQWXHPhWqqRj
> MJKIdAAA+WYXfJKQQlqqgtoafhQXYbOgoaviFDTYZ8APA5guJFCzMIkMSTkmodWF
> rtDN+brvHxAZ/yB/tdFQCSfFFkdAcjvvspYb9ontjFX9RausBM3k27cqy0fbKWfe
> f4N2mhw6Y/CAkHcLoGsNebxY0977QRR81ac9aBYghrh6nTtv7bwonlqC7Yl9Rcc=
> =dWil
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5126 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20101012/e11564d3/attachment.p7s>
More information about the Pulp-list
mailing list