Replace custom OpenPGP packet parsing with pysequoia #7433
Replace custom OpenPGP packet parsing with pysequoia #7433
Conversation
|
@mdellweg @gerrod3 This is first draft quality, I have not thoroughly reviewed this. But let me know what you think, and feel free to look at the pysequoia PR as well. I will note, that I don't think pysequoia actually supports PQC yet (the patches exist but aren't merged yet, I think RH is applying them downstream in places). So we will need to make sure that it's not doing "too much" validation Requires wiktor-k/pysequoia#61 |
dralley
force-pushed
the
use-pysequoia
branch
4 times, most recently
from
a4007d3 to
ccf9278
Compare
dralley
changed the title
| username (str): Empty string; primary UID not available without extending pysequoia. | ||
| data (bytes or None): The verified plaintext content for inline signatures, None for | ||
| detached signatures. | ||
| """ |
There was a problem hiding this comment.
I'm not actually sure that we need this, but gpg_verify is public API, so I figured we would have to at least try. Unless we wait until the next breaking change release.
There was a problem hiding this comment.
pulp_ansible seems to use the result in a trivial way, we could delete most of this at the next breaking change release.
| "raw_data": body, | ||
| "created": packet.signature_created, | ||
| } | ||
| # Note: Pulp's concept of "expiration time" is a duration starting at creation time |
There was a problem hiding this comment.
Oh it should have been expiration date?
"time" really is ambiguous.
There was a problem hiding this comment.
TBF, pulp is using the terminology that was defined in the spec, so it was "correct", it's just that the terminology in the spec was ambiguous.
https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-expiration-time
Opinions probably differ whether Sequoia providing expiration_time as something else is a good idea. Less ambiguous wording, but a bit confusing when it comes to the spec.
dralley
force-pushed
the
use-pysequoia
branch
3 times, most recently
from
56bd4a3 to
4441274
Compare
dralley
force-pushed
the
use-pysequoia
branch
2 times, most recently
from
38ee7d1 to
a234584
Compare
Generated-By: claude-opus-4.6
dralley
force-pushed
the
use-pysequoia
branch
2 times, most recently
from
e232d0d to
9827fcc
Compare
| pytest-custom_exit_code | ||
| pytest-xdist | ||
| python-gnupg | ||
| pysequoia |
There was a problem hiding this comment.
Why are we even repeating the dependency here? (It's not optional in pyproject, right?)
There was a problem hiding this comment.
functional tests can run outside the environment where Pulp is installed.
| return gpg, fingerprint, keyid | ||
| return cert, fingerprint, keyid |
There was a problem hiding this comment.
Is anything outside of pulpcore using this fixture?
There was a problem hiding this comment.
Looks like yes https://github.com/search?q=org%3Apulp%20signing_gpg_metadata&type=code
pulp_container and pulp_deb at least, pulp_rpm looks like it might have a copy of an identical name
| keyid = fingerprint[-16:] | ||
|
|
||
| gpg.trust_keys(fingerprint, "TRUST_ULTIMATE") | ||
| gpg_cmd = ["gpg", "--homedir", str(signing_gpg_homedir_path)] |
There was a problem hiding this comment.
Is this now using sequoia too, depending on the actual binary installed?
There was a problem hiding this comment.
It's using whichever utility is behind the command named gpg, which AFAIK is still just gpg. I don't think RHEL 10 is using a replacement under the gpg name
pulpcore/app/util.py
Outdated
| self.pubkey_fingerprint = vs.certificate.upper() | ||
| self.key_id = vs.signing_key[-16:].upper() | ||
| self.username = "" | ||
| else: |
There was a problem hiding this comment.
What does this branch mean? Can a signature be valid when there are no signatures at all?
There was a problem hiding this comment.
I believe you are correct, it's dead code. Removed
| ) | ||
|
|
||
| gpg = gnupg.GPG(gnupghome=options["gnupghome"], keyring=options["keyring"]) | ||
| gpg_cmd = ["gpg"] |
There was a problem hiding this comment.
Wouldn't we need this to use sequoia too in order to handle all the new algorithms and keyfile formats?
There was a problem hiding this comment.
Even sequoia doesn't "support" them yet because the IETF draft isn't final yet. You have to install a special build to get them. So it's out of scope for now. At some point, probably, but even then it might be a host-dependent thing.
Use pysequoia instead, or shell out to gpg on the command line, which is what python-gnupg does anyway. It's not much additional code to just ditch the dependency everywhere. Assisted-By: claude-opus-4.6
2 participants
📜 Checklist
See: Pull Request Walkthrough