[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pulp-list] GPG Keys (review)



All,

I added support for GPG keys as follows. I made some assumptions on the user case(s) so, I'd appreciate a sanity check.

* Added 'gpgkeys=[]' to the model and exposed through WS.  This contains
  the actual GPG key and not a URL to a file stored on the server.  Didn't
  see any point to making this complicated.

* Added --gpgkeys option to the 'repo update' command.

   Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys
       pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt
       pulp-admin repo update --id=myrepo --gpgkeys=  # clear the keys

   Where /tmp/mykeys contains files containing keys that are uploaded and
   stored in mongodb in the repo object.

* Updated the RepoLib in the Agent to:

  - Download GPG keys for each subscribed repo(s) into /etc/pki/rpm-gpg/pulp/<repo>

      Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary
                /etc/pki/rpm-gpg/pulp/myrepo/alt-1
                /etc/pki/rpm-gpg/pulp/myrepo/alt-2
                ....

  - Include gpgkeys in the repo definition in pulp.repo.

     Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary
                file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1
                file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2

* Locally stored keys no longer associated with a pulp repo are removed.  That is,
  /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed.  Also,
  unreferenced keys are cleaned up.

As of now keys --gpgkeys can contain a comma separated list of files and/or directories. When directories are listed, all of the files in directories are considered to be GPG keys and uploaded.

The GPG keys are set in the pulp.repo files in the order stored in the domain model. By convention, The first key in the list is stored in the file named 'primary' and all the others are stored in files named 'alt-N'. There is not real significance to the file naming. I just did it this way for readability and consistency with fedora key naming.

Comments?

-jeff

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]