Can't create signing service

[newswangerd]

Version
3.20

Describe the bug
When attempting to create a singing service using the pulpcore-manager add-signing-service command I get the following error:

api_1          | Traceback (most recent call last):
api_1          |   File "/venv/bin/django-admin", line 8, in <module>
api_1          |     sys.exit(execute_from_command_line())
api_1          |   File "/venv/lib64/python3.8/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
api_1          |     utility.execute()
api_1          |   File "/venv/lib64/python3.8/site-packages/django/core/management/__init__.py", line 413, in execute
api_1          |     self.fetch_command(subcommand).run_from_argv(self.argv)
api_1          |   File "/venv/lib64/python3.8/site-packages/django/core/management/base.py", line 354, in run_from_argv
api_1          |     self.execute(*args, **cmd_options)
api_1          |   File "/venv/lib64/python3.8/site-packages/django/core/management/base.py", line 398, in execute
api_1          |     output = self.handle(*args, **options)
api_1          |   File "/venv/lib64/python3.8/site-packages/pulpcore/app/management/commands/add-signing-service.py", line 83, in handle
api_1          |     SigningService.objects.create(
api_1          |   File "/venv/lib64/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method
api_1          |     return getattr(self.get_queryset(), name)(*args, **kwargs)
api_1          |   File "/venv/lib64/python3.8/site-packages/django/db/models/query.py", line 453, in create
api_1          |     obj.save(force_insert=True, using=self.db)
api_1          |   File "/venv/lib64/python3.8/site-packages/pulpcore/app/models/content.py", line 826, in save
api_1          |     self.validate()
api_1          |   File "/venv/lib64/python3.8/site-packages/pulpcore/app/models/content.py", line 858, in validate
api_1          |     with tempfile.TemporaryDirectory(dir=".") as temp_directory_name:
api_1          |   File "/usr/lib64/python3.8/tempfile.py", line 780, in __init__
api_1          |     self.name = mkdtemp(suffix, prefix, dir)
api_1          |   File "/usr/lib64/python3.8/tempfile.py", line 358, in mkdtemp
api_1          |     _os.mkdir(file, 0o700)
api_1          | PermissionError: [Errno 13] Permission denied: './tmpcmbnyssa'

The error seems to be caused by this change d32c62a#diff-81f6a78175bb93934b6beff952646d3ca1ef3731f1ff14492d4ec77bfc3fdf82R847, which attempts to create a new temporary directory in ., which my deployment doesn't have permissions to write to. I have no idea what directory . corresponds to here, so I can't make it writable.

To Reproduce
Steps to reproduce the behavior:

• attempt to create a signing service with pulpcore-manager add-signing-service

Expected behavior
I should be able to added a signing service

[newswangerd]

If . corresponds to the directory that pulp is running in, it seems like giving the user that's running pulp write access in that directory could potentially be dangerous.

[bmbouter]

This is coming from here, which is the validation that use done as part of save().

[bmbouter]

One idea is we could port the implementation to use Python tooling to validate the signature. That would avoid the need to write to a filesystem at '.'.