-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > All, > > I added support for GPG keys as follows. I made some assumptions on the > user case(s) so, I'd appreciate a sanity check. > > * Added 'gpgkeys=[]' to the model and exposed through WS. This contains > the actual GPG key and not a URL to a file stored on the server. Didn't > see any point to making this complicated.
+1, these are easy enough to just stuff in the DB. > * Added --gpgkeys option to the 'repo update' command. > > Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys > pulp-admin repo update --id=myrepo > --gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt > pulp-admin repo update --id=myrepo --gpgkeys= # clear the keys Not a huge fan of the clear syntax, but I like the idea that we don't have fine grained add/remove keys commands. They'd really overcomplicate the interface for something that won't be dorked with all that regularly. > Where /tmp/mykeys contains files containing keys that are uploaded and > stored in mongodb in the repo object. > > * Updated the RepoLib in the Agent to: > > - Download GPG keys for each subscribed repo(s) into > /etc/pki/rpm-gpg/pulp/<repo> > > Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary > /etc/pki/rpm-gpg/pulp/myrepo/alt-1 > /etc/pki/rpm-gpg/pulp/myrepo/alt-2 > .... > > - Include gpgkeys in the repo definition in pulp.repo. > > Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary > file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1 > file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2 What happens if: - - Repo is created with key A - - User binds to repo - - Repo is updated to not have key A but instead key B? I'm guessing the user will have to re-run bind, which will sync down the keys all over again? > * Locally stored keys no longer associated with a pulp repo are > removed. That is, > /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed. > Also, > unreferenced keys are cleaned up. I really need to read before I start to comment. I had just outlined a scenario where we could have an orphaned key and then I see that you clean up unreferenced keys. My only question here is "when?" Is everything in the above snippet done on the bind for that repo? > As of now keys --gpgkeys can contain a comma separated list of files > and/or directories. When directories are listed, all of the files in > directories are considered to be GPG keys and uploaded. Slick. > The GPG keys are set in the pulp.repo files in the order stored in the > domain model. By convention, The first key in the list is stored in the > file named 'primary' and all the others are stored in files named > 'alt-N'. There is not real significance to the file naming. I just did > it this way for readability and consistency with fedora key naming. I like the convention too, since it keeps us from having an overly complicated CLI that has to explicitly indicate one as primary. If they are using multiple keys, they'll get the concept of primary v. auxiliary and should pick this up fine. > Comments? That was fast to implement this. I think the lesson learned here is that Disney vacations result in high productivity and we should be able to get them reimbursed. > -jeff > > > > _______________________________________________ > Pulp-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pulp-list - -- Jason Dobies RHCE# 805008743336126 Freenode: jdob -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMtI3wAAoJEOMmcTqOSQHCLRsH/2lF4zV4r2ZZzoD0QLp47Qqy BDp7F7U7xV9rvHcQ3nrFfUg8z6/ZgF1k58QlIkfgguqv3xPUnMkYleYnDqYLJ7Hv OYQ34E02yj7KaN071bOuXmMPO339/XWqB3PSLnVv1bcQh2efm/5OAQWXHPhWqqRj MJKIdAAA+WYXfJKQQlqqgtoafhQXYbOgoaviFDTYZ8APA5guJFCzMIkMSTkmodWF rtDN+brvHxAZ/yB/tdFQCSfFFkdAcjvvspYb9ontjFX9RausBM3k27cqy0fbKWfe f4N2mhw6Y/CAkHcLoGsNebxY0977QRR81ac9aBYghrh6nTtv7bwonlqC7Yl9Rcc= =dWil -----END PGP SIGNATURE----- _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
