Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Pulp 2] Fix broken repodata signing if sqlite is enabled #2168

Merged
merged 1 commit into from
Jan 17, 2022
Merged

[Pulp 2] Fix broken repodata signing if sqlite is enabled #2168

merged 1 commit into from
Jan 17, 2022

Conversation

dralley
Copy link
Contributor

@dralley dralley commented Nov 1, 2021

@dralley dralley changed the title Fix broken repodata signing if sqlite is enabled [Pulp 2] Fix broken repodata signing if sqlite is enabled Nov 1, 2021
@dralley dralley added the Pulp 2 label Nov 1, 2021
@pulpbot
Copy link
Member

pulpbot commented Nov 1, 2021

Attached issue: https://pulp.plan.io/issues/9206

@dralley
Copy link
Contributor Author

dralley commented Nov 1, 2021

Tested here: https://pulp.plan.io/issues/9206#note-10

@dralley dralley marked this pull request as ready for review November 1, 2021 14:30
dralley
dralley commented Nov 1, 2021
View reviewed changes
plugins/pulp_rpm/plugins/distributors/yum/publish.py
self.add_child(RemoveOldRepodataStep())
self.add_child(GenerateSqliteForRepoStep(self.get_working_dir()))
if config.get_boolean('gpg_sign_metadata'):
Copy link
Contributor Author

@dralley dralley Nov 1, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Signing used to happen as part of CloseRemoMetadataStep, but GenerateSqliteForRepoStep was rewriting the repomd.xml afterwards and immediately invalidating the signature. So we need to split the signing logic away from CloseRepoMetadataStep and make it a separate step that runs at the end.

goosemania
goosemania reviewed Nov 1, 2021
View reviewed changes
plugins/pulp_rpm/plugins/distributors/yum/publish.py
self.add_child(RemoveOldRepodataStep())
self.add_child(GenerateSqliteForRepoStep(self.get_working_dir()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the reason for moving that step?

Copy link
Contributor Author

@dralley dralley Nov 1, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reasoning was that GenerateSqliteForRepoStep is making changes to the metadata files that aren't tracked by the code that makes sure the RemoveOldRepodataStep doesn't touch them, so it feels safer to do it after the cleanup. I'm 99.9% sure that it would still have been fine anyway because "old" is time-based and usually measured in days, but I dislike that it was the only reason it wasn't broken.

goosemania
goosemania reviewed Nov 1, 2021
View reviewed changes
plugins/pulp_rpm/plugins/distributors/yum/publish.py
Comment on lines +421 to +427
def finalize(self):
sign_options = configuration.get_gpg_sign_options(
self.get_repo(), self.get_config()
)
assert sign_options
signer = util.Signer(options=sign_options)
signer.sign(self.repomd)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had an impression that semantically in finalize, we usually perform some cleanup or closing actions and such. Here we are signing, basically performing the main action this step is for, so my natural approach would be to put it into process_main. Is it because this code was performed in the finalizing stage originally, you decided to keep it here?

Copy link
Contributor Author

@dralley dralley Nov 1, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was actually unsure about that because process_main seems to sometimes be used on a per-item basis. I can rename it to process_main if that would be more correct.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it's safer to leave it in finalize, since it was there before, and actually it would be more correct because finalization of other steps will be run by that time. If we put it in the process_main it might not happen in the correct order.
Anyway, you convinced me :) Let's keep it as you did it.

@goosemania
Copy link
Member

It looks good to me, I'd ask exd to test/review.
Thanks a lot for the fix, @dralley !

@goosemania
Copy link
Member

cc @rohanpm, in case you'd like to check it out

@fao89 fao89 mentioned this pull request Dec 22, 2021
Closed
@dralley
Copy link
Contributor Author

dralley commented Jan 17, 2022

Well, I'm just going to merge this. EXD can suggest further changes when they around to reviewing

@dralley dralley merged commit 1bf3194 into pulp:2-master Jan 17, 2022
@dralley dralley deleted the fix-signing-pulp2 branch January 17, 2022 19:22
@dralley dralley mentioned this pull request Jun 6, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goosemania goosemania goosemania approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dralley @pulpbot @goosemania