[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pulp-list] GPG Keys (review)





On 10/12/2010 11:33 AM, Jason Dobies wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I added support for GPG keys as follows.  I made some assumptions on the
user case(s) so, I'd appreciate a sanity check.

* Added 'gpgkeys=[]' to the model and exposed through WS.  This contains
   the actual GPG key and not a URL to a file stored on the server.  Didn't
   see any point to making this complicated.

+1, these are easy enough to just stuff in the DB.

* Added --gpgkeys option to the 'repo update' command.

    Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys
        pulp-admin repo update --id=myrepo
--gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt
        pulp-admin repo update --id=myrepo --gpgkeys=  # clear the keys

Not a huge fan of the clear syntax, but I like the idea that we don't
have fine grained add/remove keys commands. They'd really overcomplicate
the interface for something that won't be dorked with all that regularly.

Agreed. The clear syntax seemed a little wonky but didn't want to add a done of syntax just to support and edge case.


    Where /tmp/mykeys contains files containing keys that are uploaded and
    stored in mongodb in the repo object.

* Updated the RepoLib in the Agent to:

   - Download GPG keys for each subscribed repo(s) into
/etc/pki/rpm-gpg/pulp/<repo>

       Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary
                 /etc/pki/rpm-gpg/pulp/myrepo/alt-1
                 /etc/pki/rpm-gpg/pulp/myrepo/alt-2
                 ....

   - Include gpgkeys in the repo definition in pulp.repo.

      Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary
                 file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1
                 file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2

What happens if:
- - Repo is created with key A
- - User binds to repo
- - Repo is updated to not have key A but instead key B?

I'm guessing the user will have to re-run bind, which will sync down the
keys all over again?

Yeah, this is a hole. I'm thinking we need the API to (asynchronously) request all bound consumers to update the .repo whenever a repo is updated[1]. Or, the API could only do this when a field changes that affects the .repo file.

Thoughts?

[1] ConsumerApi.update()


* Locally stored keys no longer associated with a pulp repo are
removed.  That is,
   /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed.
Also,
   unreferenced keys are cleaned up.

I really need to read before I start to comment. I had just outlined a
scenario where we could have an orphaned key and then I see that you
clean up unreferenced keys.

My only question here is "when?" Is everything in the above snippet done
on the bind for that repo?

Basically, any bind or unbind causes the .repo file to be completely reconfigured. During this, the GPG keys will be downloaded, updated, deleted as needed.


As of now keys --gpgkeys can contain a comma separated list of files
and/or directories. When directories are listed, all of the files in
directories are considered to be GPG keys and uploaded.

Slick.

The GPG keys are set in the pulp.repo files in the order stored in the
domain model.  By convention, The first key in the list is stored in the
file named 'primary' and all the others are stored in files named
'alt-N'.  There is not real significance to the file naming.  I just did
it this way for readability and consistency with fedora key naming.

I like the convention too, since it keeps us from having an overly
complicated CLI that has to explicitly indicate one as primary. If they
are using multiple keys, they'll get the concept of primary v. auxiliary
and should pick this up fine.

Comments?

That was fast to implement this. I think the lesson learned here is that
Disney vacations result in high productivity and we should be able to
get them reimbursed.

+1


-jeff



_______________________________________________
Pulp-list mailing list
Pulp-list redhat com
https://www.redhat.com/mailman/listinfo/pulp-list


- --
Jason Dobies
RHCE# 805008743336126
Freenode: jdob
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMtI3wAAoJEOMmcTqOSQHCLRsH/2lF4zV4r2ZZzoD0QLp47Qqy
BDp7F7U7xV9rvHcQ3nrFfUg8z6/ZgF1k58QlIkfgguqv3xPUnMkYleYnDqYLJ7Hv
OYQ34E02yj7KaN071bOuXmMPO339/XWqB3PSLnVv1bcQh2efm/5OAQWXHPhWqqRj
MJKIdAAA+WYXfJKQQlqqgtoafhQXYbOgoaviFDTYZ8APA5guJFCzMIkMSTkmodWF
rtDN+brvHxAZ/yB/tdFQCSfFFkdAcjvvspYb9ontjFX9RausBM3k27cqy0fbKWfe
f4N2mhw6Y/CAkHcLoGsNebxY0977QRR81ac9aBYghrh6nTtv7bwonlqC7Yl9Rcc=
=dWil
-----END PGP SIGNATURE-----

_______________________________________________
Pulp-list mailing list
Pulp-list redhat com
https://www.redhat.com/mailman/listinfo/pulp-list

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]