Replace custom OpenPGP packet parsing with pysequoia

functest_requirements.txt

@@ -1,7 +1,7 @@
 pytest<10
 pytest-custom_exit_code
 pytest-xdist
-python-gnupg
+pysequoia
 proxy.py~=2.4.10
 trustme~=1.2.1
 

pulpcore/app/management/commands/add-signing-service.py

@@ -1,6 +1,5 @@
 import os
-
-import gnupg
+import subprocess
 
 from pathlib import Path
 
@@ -72,13 +71,33 @@ def handle(self, *args, **options):
                 )
             )
 
-        gpg = gnupg.GPG(gnupghome=options["gnupghome"], keyring=options["keyring"])
+        gpg_cmd = ["gpg"]
+        if options["gnupghome"]:
+            gpg_cmd += ["--homedir", options["gnupghome"]]
+        if options["keyring"]:
+            gpg_cmd += ["--keyring", options["keyring"]]
 
-        key_list = gpg.list_keys(keys=[key_id])
-        if not len(key_list) == 1:
-            raise CommandError(_("There are {} keys matching the key id.").format(len(key_list)))
-        fingerprint = key_list[0]["fingerprint"]
-        public_key = gpg.export_keys(key_id)
+        result = subprocess.run(
+            gpg_cmd + ["--with-colons", "--fingerprint", key_id],
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode != 0:
+            raise CommandError(result.stderr.strip())
+
+        fpr_lines = [line for line in result.stdout.splitlines() if line.startswith("fpr:")]
+        if len(fpr_lines) != 1:
+            raise CommandError(_("There are {} keys matching the key id.").format(len(fpr_lines)))
+        fingerprint = fpr_lines[0].split(":")[9]
+
+        result = subprocess.run(
+            gpg_cmd + ["--armor", "--export", key_id],
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode != 0:
+            raise CommandError(result.stderr.strip())
+        public_key = result.stdout
 
         try:
             script_path = Path(script).resolve(strict=True)

pulpcore/app/models/openpgp.py

@@ -3,8 +3,9 @@
 from aiohttp.web_response import Response
 from django.db import models
 from django.utils import timezone
+from pysequoia import armor, ArmorKind
+
 from pulpcore.app.models import AutoAddObjPermsMixin, Content, Distribution, Repository
-from pulpcore.app.openpgp import wrap_armor
 from pulpcore.app.util import get_domain_pk, gpg_verify
 
 
@@ -47,6 +48,7 @@ def represent(self, repository_version=None):
         else:
             content_filter = {}
         data = self.packet()
+        # note: because these queries aren't ordered, the result may be nondetermininistic
         for signature in self.openpgp_signatures.filter(**content_filter):
             data += signature.packet()
         for user_id in self.user_ids.filter(**content_filter):
@@ -61,7 +63,7 @@ def represent(self, repository_version=None):
             data += public_subkey.packet()
             for signature in public_subkey.openpgp_signatures.filter(**content_filter):
                 data += signature.packet()
-        return wrap_armor(data)
+        return armor(data, ArmorKind.PublicKey).strip()  # avoid trailing newline
 
     class Meta:
         default_related_name = "%(app_label)s_%(model_name)s"
@@ -127,11 +129,11 @@ class OpenPGPSignature(_OpenPGPContent):
 
     sha256 = models.CharField(max_length=128)
     signature_type = models.PositiveSmallIntegerField()
-    created = models.DateTimeField()  # 2
-    expiration_time = models.DurationField(null=True)  # 3
-    key_expiration_time = models.DurationField(null=True)  # 9
-    issuer = models.CharField(max_length=16, null=True)  # 16
-    signers_user_id = models.CharField(null=True)  # 28
+    created = models.DateTimeField()
+    expiration_time = models.DurationField(null=True)
+    key_expiration_time = models.DurationField(null=True)
+    issuer = models.CharField(max_length=16, null=True)
+    signers_user_id = models.CharField(null=True)
     signed_content = models.ForeignKey(
         Content, related_name="openpgp_signatures", on_delete=models.PROTECT
     )