[Pulp-list] GPG Keys (review)

Jeff Ortel jortel at redhat.com
Tue Oct 12 17:14:18 UTC 2010 


On 10/12/2010 11:33 AM, Jason Dobies wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> All,
>>
>> I added support for GPG keys as follows.  I made some assumptions on the
>> user case(s) so, I'd appreciate a sanity check.
>>
>> * Added 'gpgkeys=[]' to the model and exposed through WS.  This contains
>>    the actual GPG key and not a URL to a file stored on the server.  Didn't
>>    see any point to making this complicated.
>
> +1, these are easy enough to just stuff in the DB.
>
>> * Added --gpgkeys option to the 'repo update' command.
>>
>>     Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys
>>         pulp-admin repo update --id=myrepo
>> --gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt
>>         pulp-admin repo update --id=myrepo --gpgkeys=  # clear the keys
>
> Not a huge fan of the clear syntax, but I like the idea that we don't
> have fine grained add/remove keys commands. They'd really overcomplicate
> the interface for something that won't be dorked with all that regularly.

Agreed.  The clear syntax seemed a little wonky but didn't want to add a done of syntax 
just to support and edge case.

>
>>     Where /tmp/mykeys contains files containing keys that are uploaded and
>>     stored in mongodb in the repo object.
>>
>> * Updated the RepoLib in the Agent to:
>>
>>    - Download GPG keys for each subscribed repo(s) into
>> /etc/pki/rpm-gpg/pulp/<repo>
>>
>>        Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary
>>                  /etc/pki/rpm-gpg/pulp/myrepo/alt-1
>>                  /etc/pki/rpm-gpg/pulp/myrepo/alt-2
>>                  ....
>>
>>    - Include gpgkeys in the repo definition in pulp.repo.
>>
>>       Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary
>>                  file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1
>>                  file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2
>
> What happens if:
> - - Repo is created with key A
> - - User binds to repo
> - - Repo is updated to not have key A but instead key B?
>
> I'm guessing the user will have to re-run bind, which will sync down the
> keys all over again?

Yeah, this is a hole.  I'm thinking we need the API to (asynchronously) request all bound 
consumers to update the .repo whenever a repo is updated[1].  Or, the API could only do 
this when a field changes that affects the .repo file.

Thoughts?

[1] ConsumerApi.update()

>
>> * Locally stored keys no longer associated with a pulp repo are
>> removed.  That is,
>>    /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed.
>> Also,
>>    unreferenced keys are cleaned up.
>
> I really need to read before I start to comment. I had just outlined a
> scenario where we could have an orphaned key and then I see that you
> clean up unreferenced keys.
>
> My only question here is "when?" Is everything in the above snippet done
> on the bind for that repo?

Basically, any bind or unbind causes the .repo file to be completely reconfigured.  During 
this, the GPG keys will be downloaded, updated, deleted as needed.

>
>> As of now keys --gpgkeys can contain a comma separated list of files
>> and/or directories. When directories are listed, all of the files in
>> directories are considered to be GPG keys and uploaded.
>
> Slick.
>
>> The GPG keys are set in the pulp.repo files in the order stored in the
>> domain model.  By convention, The first key in the list is stored in the
>> file named 'primary' and all the others are stored in files named
>> 'alt-N'.  There is not real significance to the file naming.  I just did
>> it this way for readability and consistency with fedora key naming.
>
> I like the convention too, since it keeps us from having an overly
> complicated CLI that has to explicitly indicate one as primary. If they
> are using multiple keys, they'll get the concept of primary v. auxiliary
> and should pick this up fine.
>
>> Comments?
>
> That was fast to implement this. I think the lesson learned here is that
> Disney vacations result in high productivity and we should be able to
> get them reimbursed.

+1

>
>> -jeff
>>
>>
>>
>> _______________________________________________
>> Pulp-list mailing list
>> Pulp-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/pulp-list
>
>
> - --
> Jason Dobies
> RHCE# 805008743336126
> Freenode: jdob
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJMtI3wAAoJEOMmcTqOSQHCLRsH/2lF4zV4r2ZZzoD0QLp47Qqy
> BDp7F7U7xV9rvHcQ3nrFfUg8z6/ZgF1k58QlIkfgguqv3xPUnMkYleYnDqYLJ7Hv
> OYQ34E02yj7KaN071bOuXmMPO339/XWqB3PSLnVv1bcQh2efm/5OAQWXHPhWqqRj
> MJKIdAAA+WYXfJKQQlqqgtoafhQXYbOgoaviFDTYZ8APA5guJFCzMIkMSTkmodWF
> rtDN+brvHxAZ/yB/tdFQCSfFFkdAcjvvspYb9ontjFX9RausBM3k27cqy0fbKWfe
> f4N2mhw6Y/CAkHcLoGsNebxY0977QRR81ac9aBYghrh6nTtv7bwonlqC7Yl9Rcc=
> =dWil
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5126 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20101012/e11564d3/attachment.p7s>

More information about the Pulp-list mailing list