On 10/12/2010 11:33 AM, Jason Dobies wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1All, I added support for GPG keys as follows. I made some assumptions on the user case(s) so, I'd appreciate a sanity check. * Added 'gpgkeys=[]' to the model and exposed through WS. This contains the actual GPG key and not a URL to a file stored on the server. Didn't see any point to making this complicated.+1, these are easy enough to just stuff in the DB.* Added --gpgkeys option to the 'repo update' command. Eg: pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys pulp-admin repo update --id=myrepo --gpgkeys=/tmp/mykeys/primary,/tmp/mykeys/alt pulp-admin repo update --id=myrepo --gpgkeys= # clear the keysNot a huge fan of the clear syntax, but I like the idea that we don't have fine grained add/remove keys commands. They'd really overcomplicate the interface for something that won't be dorked with all that regularly.
Agreed. The clear syntax seemed a little wonky but didn't want to add a done of syntax just to support and edge case.
Where /tmp/mykeys contains files containing keys that are uploaded and stored in mongodb in the repo object. * Updated the RepoLib in the Agent to: - Download GPG keys for each subscribed repo(s) into /etc/pki/rpm-gpg/pulp/<repo> Stored as /etc/pki/rpm-gpg/pulp/myrepo/primary /etc/pki/rpm-gpg/pulp/myrepo/alt-1 /etc/pki/rpm-gpg/pulp/myrepo/alt-2 .... - Include gpgkeys in the repo definition in pulp.repo. Eg: gpgkey=file:///etc/pki/rpm-gpg/pulp/myrepo/primary file:///etc/pki/rpm-gpg/pulp/myrepo/alt-1 file:///etc/pki/rpm-gpg/pulp/myrepo/alt-2What happens if: - - Repo is created with key A - - User binds to repo - - Repo is updated to not have key A but instead key B? I'm guessing the user will have to re-run bind, which will sync down the keys all over again?
Yeah, this is a hole. I'm thinking we need the API to (asynchronously) request all bound consumers to update the .repo whenever a repo is updated[1]. Or, the API could only do this when a field changes that affects the .repo file.
Thoughts? [1] ConsumerApi.update()
* Locally stored keys no longer associated with a pulp repo are removed. That is, /etc/pki/rpm-gpg/pulp/foobar/* is removed when no longer subscribed. Also, unreferenced keys are cleaned up.I really need to read before I start to comment. I had just outlined a scenario where we could have an orphaned key and then I see that you clean up unreferenced keys. My only question here is "when?" Is everything in the above snippet done on the bind for that repo?
Basically, any bind or unbind causes the .repo file to be completely reconfigured. During this, the GPG keys will be downloaded, updated, deleted as needed.
As of now keys --gpgkeys can contain a comma separated list of files and/or directories. When directories are listed, all of the files in directories are considered to be GPG keys and uploaded.Slick.The GPG keys are set in the pulp.repo files in the order stored in the domain model. By convention, The first key in the list is stored in the file named 'primary' and all the others are stored in files named 'alt-N'. There is not real significance to the file naming. I just did it this way for readability and consistency with fedora key naming.I like the convention too, since it keeps us from having an overly complicated CLI that has to explicitly indicate one as primary. If they are using multiple keys, they'll get the concept of primary v. auxiliary and should pick this up fine.Comments?That was fast to implement this. I think the lesson learned here is that Disney vacations result in high productivity and we should be able to get them reimbursed.
+1
-jeff _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list- -- Jason Dobies RHCE# 805008743336126 Freenode: jdob -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMtI3wAAoJEOMmcTqOSQHCLRsH/2lF4zV4r2ZZzoD0QLp47Qqy BDp7F7U7xV9rvHcQ3nrFfUg8z6/ZgF1k58QlIkfgguqv3xPUnMkYleYnDqYLJ7Hv OYQ34E02yj7KaN071bOuXmMPO339/XWqB3PSLnVv1bcQh2efm/5OAQWXHPhWqqRj MJKIdAAA+WYXfJKQQlqqgtoafhQXYbOgoaviFDTYZ8APA5guJFCzMIkMSTkmodWF rtDN+brvHxAZ/yB/tdFQCSfFFkdAcjvvspYb9ontjFX9RausBM3k27cqy0fbKWfe f4N2mhw6Y/CAkHcLoGsNebxY0977QRR81ac9aBYghrh6nTtv7bwonlqC7Yl9Rcc= =dWil -----END PGP SIGNATURE----- _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
