diff --git a/plugins/quetz_content_trust/quetz_content_trust/main.py b/plugins/quetz_content_trust/quetz_content_trust/main.py index c8678df6..72e0f131 100644 --- a/plugins/quetz_content_trust/quetz_content_trust/main.py +++ b/plugins/quetz_content_trust/quetz_content_trust/main.py @@ -44,8 +44,27 @@ def post_index_creation(raw_repodata: dict, channel_name, subdir): "packages.conda", {} ) for name, metadata in packages.items(): + # Only sign the relevant metadata + signable_metadata_keys = [ + "build", + "build_number", + "constrains", + "depends", + "license", + "name", + "version", + "subdir", + "size", + "timestamp", + "md5", + "sha256", + ] + metadata_to_sign = { + k: metadata[k] for k in signable_metadata_keys if k in metadata + } sig = libmamba_api.sign( - json.dumps(metadata, indent=2, sort_keys=True), query[0].private_key + json.dumps(metadata_to_sign, indent=2, sort_keys=True), + query[0].private_key, ) if name not in signatures: signatures[name] = {} diff --git a/quetz/repo_data.py b/quetz/repo_data.py index ee109515..a2dce98c 100644 --- a/quetz/repo_data.py +++ b/quetz/repo_data.py @@ -4,6 +4,7 @@ import json from quetz import db_models +from quetz.condainfo import MAX_CONDA_TIMESTAMP def export(dao, channel_name, subdir): @@ -22,6 +23,9 @@ def export(dao, channel_name, subdir): ): data = json.loads(info) data['time_modified'] = int(time_modified.timestamp()) + if 'timestamp' in data and data['timestamp'] > MAX_CONDA_TIMESTAMP: + # Convert timestamp from milliseconds to seconds + data['timestamp'] //= 1000 if format == db_models.PackageFormatEnum.conda: packages_conda[filename] = data else: