[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] GPG Keys (review)

Hash: SHA1

> All,
> I added support for GPG keys as follows.  I made some assumptions on the
> user case(s) so, I'd appreciate a sanity check.
> * Added 'gpgkeys=[]' to the model and exposed through WS.  This contains
>   the actual GPG key and not a URL to a file stored on the server.  Didn't
>   see any point to making this complicated.

+1, these are easy enough to just stuff in the DB.

> * Added --gpgkeys option to the 'repo update' command.
>    Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys
>        pulp-admin repo update --id=myrepo
> --gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt
>        pulp-admin repo update --id=myrepo --gpgkeys=  # clear the keys

Not a huge fan of the clear syntax, but I like the idea that we don't
have fine grained add/remove keys commands. They'd really overcomplicate
the interface for something that won't be dorked with all that regularly.

>    Where /tmp/mykeys contains files containing keys that are uploaded and
>    stored in mongodb in the repo object.
> * Updated the RepoLib in the Agent to:
>   - Download GPG keys for each subscribed repo(s) into
> /etc/pki/rpm-gpg/pulp/<repo>
>       Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary
>                 /etc/pki/rpm-gpg/pulp/myrepo/alt-1
>                 /etc/pki/rpm-gpg/pulp/myrepo/alt-2
>                 ....
>   - Include gpgkeys in the repo definition in pulp.repo.
>      Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary
>                 file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1
>                 file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2

What happens if:
- - Repo is created with key A
- - User binds to repo
- - Repo is updated to not have key A but instead key B?

I'm guessing the user will have to re-run bind, which will sync down the
keys all over again?

> * Locally stored keys no longer associated with a pulp repo are
> removed.  That is,
>   /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed. 
> Also,
>   unreferenced keys are cleaned up.

I really need to read before I start to comment. I had just outlined a
scenario where we could have an orphaned key and then I see that you
clean up unreferenced keys.

My only question here is "when?" Is everything in the above snippet done
on the bind for that repo?

> As of now keys --gpgkeys can contain a comma separated list of files
> and/or directories. When directories are listed, all of the files in
> directories are considered to be GPG keys and uploaded.


> The GPG keys are set in the pulp.repo files in the order stored in the
> domain model.  By convention, The first key in the list is stored in the
> file named 'primary' and all the others are stored in files named
> 'alt-N'.  There is not real significance to the file naming.  I just did
> it this way for readability and consistency with fedora key naming.

I like the convention too, since it keeps us from having an overly
complicated CLI that has to explicitly indicate one as primary. If they
are using multiple keys, they'll get the concept of primary v. auxiliary
and should pick this up fine.

> Comments?

That was fast to implement this. I think the lesson learned here is that
Disney vacations result in high productivity and we should be able to
get them reimbursed.

> -jeff
> _______________________________________________
> Pulp-list mailing list
> Pulp-list redhat com
> https://www.redhat.com/mailman/listinfo/pulp-list

- -- 
Jason Dobies
RHCE# 805008743336126
Freenode: jdob
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]