Add support for package signing#1369
Open
daviddavis wants to merge 8 commits intopulp:mainfrom
Open
Conversation
3 tasks
daviddavis
force-pushed
the
package-signing
branch
3 times, most recently
from
7e3139a to
ba39a95
Compare
daviddavis
force-pushed
the
package-signing
branch
5 times, most recently
from
7f649ce to
9f3d131
Compare
daviddavis
force-pushed
the
package-signing
branch
from
a87e82d to
4ca1703
Compare
daviddavis
commented
Jan 2, 2026
daviddavis
force-pushed
the
package-signing
branch
6 times, most recently
from
10576a3 to
9a98cf2
Compare
daviddavis
force-pushed
the
package-signing
branch
2 times, most recently
from
fc6bbd7 to
8964c59
Compare
daviddavis
force-pushed
the
package-signing
branch
2 times, most recently
from
5298981 to
c2ba8b6
Compare
daviddavis
force-pushed
the
package-signing
branch
5 times, most recently
from
cfde638 to
236be34
Compare
daviddavis
force-pushed
the
package-signing
branch
9 times, most recently
from
4a62c62 to
dfde87c
Compare
Collaborator
|
I am afraid there are now merge conflicts due to the new linting. It is mostly rearranging of import statements. I hope they are simple to resolve. |
Contributor
Author
|
No worries. I am at least partly to blame I think. |
daviddavis
force-pushed
the
package-signing
branch
2 times, most recently
from
90caeac to
4fded08
Compare
Contributor
Author
|
@quba42 I updated this PR and it should be ready for review again. |
Assisted By: GPT-5.1-Codex fixes pulp#1300
Assisted By: GPT-5.1-Codex fixes pulp#1300
Add support for release overrides to signed_add_and_remove
Assisted By: Claude Sonnet 4.5
Switch package_signing_fingerprint fields from raw 40-char hex strings to a prefixed format (e.g. 'v4:<hex>' or 'keyid:<hex>'). This allows the signing system to distinguish between fingerprint types. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add an ArrayField to BasePackage (Package and InstallerPackage) that records which key fingerprints were used to sign the package. The field is read-only, null by default, and populated with a fingerprint when a package is signed via upload or repository modify. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Previously, we were checking package signatures against the package signing service's key fingerprint to see if they were already signed by the repo's package signing service. Instead the check should be using the repo's package signing fingerprint. For this fix, we extract the signature and use `gpg --list-packets` to find the package's fingerprint, which is compared against the repo fingerprint. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
daviddavis
force-pushed
the
package-signing
branch
from
4fded08 to
5a61a9b
Compare
quba42
reviewed
May 4, 2026
| # All things django and asyncio are deliberately left to pulpcore | ||
| # Example transitive requirements: asgiref, asyncio, aiohttp | ||
| "pulpcore>=3.85.0,<3.115", | ||
| "pulpcore>=3.107.0,<3.115", |
Collaborator
There was a problem hiding this comment.
Just a reminder for myself: Katello has only just packaged for pulpcore 3.105. Once we merge this, it will take some time until Katello can start using this change, and thus the next Y-release.
Collaborator
|
I will just leave this here as a comment: https://gist.github.com/daviddavis/5c6288813044fa0686e2aa936f41b653 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #1300