Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#641: Specify and remember the Signing Services we want to use for each Repo / Release. #689

Merged
merged 1 commit into from
Jun 5, 2023
Merged

#641: Specify and remember the Signing Services we want to use for each Repo / Release. #689

merged 1 commit into from
Jun 5, 2023

Conversation

sdherr
Copy link
Contributor

@sdherr sdherr commented Nov 28, 2022
edited
Loading

closes #641

@sdherr sdherr changed the title Specify and remember the Signing Service that should be used at Repository or Release creation time. #641: Specify and remember the Signing Service that should be used at Repository or Release creation time. Nov 29, 2022
@sdherr sdherr force-pushed the default-signing-service branch 2 times, most recently from 7d9dc69 to 3f05a3c Compare November 29, 2022 18:19
@sdherr sdherr force-pushed the default-signing-service branch 2 times, most recently from 3c4b567 to 12bc925 Compare December 8, 2022 19:56
@sdherr sdherr changed the title #641: Specify and remember the Signing Service that should be used at Repository or Release creation time. #641: Specify and remember the Signing Services we want to use for each Repo / Release. Dec 8, 2022
@daviddavis daviddavis mentioned this pull request Dec 14, 2022
Merged
@sdherr sdherr force-pushed the default-signing-service branch from a84d748 to 7da9495 Compare December 15, 2022 15:47
@lubosmj lubosmj requested a review from mdellweg January 4, 2023 18:33
@sdherr
Copy link
Contributor Author

sdherr commented Jan 26, 2023

@mdellweg ping, I believe this is ready for merging. We have been using this patch without problem for a month now.

@mdellweg
Copy link
Member

Can you squash the commits and maybe the migrations too?

@mdellweg mdellweg removed their request for review January 26, 2023 15:38
@sdherr sdherr force-pushed the default-signing-service branch from 7da9495 to e883d93 Compare January 26, 2023 19:07
@sdherr
Copy link
Contributor Author

sdherr commented Jan 26, 2023

Sure, done, thanks!

@sdherr
Copy link
Contributor Author

sdherr commented Jan 26, 2023

Hmm, we'll I'll try to figure out what the automation is complaining about, but also it occurs to me that we probably update this to use get_url now that pulp/pulpcore#3469 is merged.

@sdherr sdherr force-pushed the default-signing-service branch from e883d93 to 77ea3c8 Compare January 31, 2023 20:16
@sdherr
Copy link
Contributor Author

sdherr commented Jan 31, 2023

I was wrong previously, the version of this PR that we have been running had diverged from this code and there were a couple of things I had to patch up to get it working right. It should be better now though.

@sdherr sdherr force-pushed the default-signing-service branch 2 times, most recently from 18cb978 to e33a76a Compare January 31, 2023 20:57
@sdherr sdherr force-pushed the default-signing-service branch 5 times, most recently from e8a0a6f to dc7b0e8 Compare March 10, 2023 19:31
@sdherr
Copy link
Contributor Author

sdherr commented Mar 10, 2023

I added some basic tests to exersize this functionality. I don't know why all the github checks are failing; it doesn't seem to be related to my changes and everything works locally here.

@sdherr sdherr force-pushed the default-signing-service branch from dc7b0e8 to 3321549 Compare March 10, 2023 22:09
@sdherr sdherr force-pushed the default-signing-service branch 2 times, most recently from a4d452f to 29ef41d Compare April 26, 2023 20:53
@sdherr
Copy link
Contributor Author

sdherr commented Apr 26, 2023

An example api workflow setting signing service on a specific release:

SIGNING_SERVICE_HREF="/pulp/api/v3/signing-services/77d0ba0f-8d42-4bd5-8818-2707ddcdb11d/

# create the repo, update it to set a signing service override on a release named "signed"
http :8080/pulp/api/v3/repositories/deb/apt/ name=test-repo-signed-release
TEST_REPO_SIGNED_RELEASE="/pulp/api/v3/repositories/deb/apt/699d6531-18e6-48ff-8029-7f0ca6390e49/"
http PATCH :8080$TEST_REPO_SIGNED_RELEASE signing_service_release_overrides:="{\"signed\": \"$SIGNING_SERVICE_HREF\"}"

# create a couple releases
http :8080/pulp/api/v3/content/deb/releases/ codename=signed suite=signed distribution=signed
SIGNED_RELEASE_HREF="/pulp/api/v3/content/deb/releases/1e5ef6b8-bac8-43b0-852a-4d9a8a5ada12/"
http :8080/pulp/api/v3/content/deb/releases/ codename=unsigned suite=unsigned distribution=unsigned
UNSIGNED_RELEASE_HREF="/pulp/api/v3/content/deb/releases/f5ccdb99-47c6-4eb0-b7d1-749b2382dda7/"

# create a couple components
http :8080/pulp/api/v3/content/deb/release_components/ component=main release="$SIGNED_RELEASE_HREF"
SIGNED_COMPONENT_HREF="/pulp/api/v3/content/deb/release_components/8d5e72be-7037-4587-8d40-3d2b545a6870/"
http :8080/pulp/api/v3/content/deb/release_components/ component=main release="$UNSIGNED_RELEASE_HREF"
UNSIGNED_COMPONENT_HREF="/pulp/api/v3/content/deb/release_components/b36535a8-3917-4646-938a-60edcfc70750/"

# add structure content to repo
http :8080${TEST_REPO_SIGNED_RELEASE}modify/ add_content_units:="[\"$SIGNED_RELEASE_HREF\", \"$UNSIGNED_RELEASE_HREF\", \"$SIGNED_COMPONENT_HREF\", \"$UNSIGNED_COMPONENT_HREF\"]"

# distribute and publish it
http :8080/pulp/api/v3/distributions/deb/apt/ base_path=test_repo_signed_release name=test_repo_signed_release repository="$TEST_REPO_SIGNED_RELEASE"
http :8080/pulp/api/v3/publications/deb/apt/ structured:=true repository="$TEST_REPO_SIGNED_RELEASE"

# observe that the "signed" release contains an InRelease file and the "unsigned" release doesn't

@sdherr
Copy link
Contributor Author

sdherr commented Apr 26, 2023

An example api workflow setting signing service on the whole repo:

SIGNING_SERVICE_HREF="/pulp/api/v3/signing-services/77d0ba0f-8d42-4bd5-8818-2707ddcdb11d/

# create the repo, update it to set a signing service override on a release named "signed"
http :8080/pulp/api/v3/repositories/deb/apt/ name=test-signed-repo
TEST_SIGNED_REPO="/pulp/api/v3/repositories/deb/apt/64de9a9d-9e55-4ffc-b65a-c89a4b0733cc/"
http PATCH :8080$TEST_SIGNED_REPO signing_service="$SIGNING_SERVICE_HREF"

# create a couple releases
http :8080/pulp/api/v3/content/deb/releases/ codename=signed1 suite=signed1 distribution=signed1
RELEASE_ONE_HREF="/pulp/api/v3/content/deb/releases/56ed4769-ee33-459c-b1ce-0f1de4556bb9/"
http :8080/pulp/api/v3/content/deb/releases/ codename=signed2 suite=signed2 distribution=signed2
RELEASE_TWO_HREF="/pulp/api/v3/content/deb/releases/c5d2165e-0132-423c-8588-14c5c5d431e1/"

# create a couple components
http :8080/pulp/api/v3/content/deb/release_components/ component=main release="$RELEASE_ONE_HREF"
COMPONENT_ONE_HREF="/pulp/api/v3/content/deb/release_components/2933c017-fc08-4e77-9089-e20e5f6eca9d/"
http :8080/pulp/api/v3/content/deb/release_components/ component=main release="$RELEASE_TWO_HREF"
COMPONENT_TWO_HREF="/pulp/api/v3/content/deb/release_components/e392bc8e-ca03-496d-a8c4-7ccacb1960f2/"

# add structure content to repo
http :8080${TEST_SIGNED_REPO}modify/ add_content_units:="[\"$RELEASE_ONE_HREF\", \"$RELEASE_TWO_HREF\", \"$COMPONENT_ONE_HREF\", \"$COMPONENT_TWO_HREF\"]"

# distribute and publish it
http :8080/pulp/api/v3/distributions/deb/apt/ base_path=test_signed_repo name=test_signed_repo repository="$TEST_SIGNED_REPO"
http :8080/pulp/api/v3/publications/deb/apt/ structured:=true repository="$TEST_SIGNED_REPO"

# observe that both "signed1" and "signed2" contian InRelease files

@quba42 quba42 added the .feature CHANGES/<issue_number>.feature label May 8, 2023
@sdherr sdherr force-pushed the default-signing-service branch 2 times, most recently from 6e1b113 to 0560da9 Compare June 1, 2023 15:58
@sdherr sdherr force-pushed the default-signing-service branch from 0560da9 to 60a3abc Compare June 1, 2023 17:57
@sdherr sdherr requested a review from hstct June 1, 2023 18:19
@hstct
Copy link
Contributor

hstct commented Jun 1, 2023

LGTM. Will merge this when I get back to work (so probably monday)

quba42
quba42 approved these changes Jun 5, 2023
View reviewed changes
Copy link
Collaborator

@quba42 quba42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not done a full review like @hstct, but had a look over the code and performed the following test workflow:
Set up a signing service:

oci-env shell
curl -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-PRIVATE-KEY-pulp-qe | gpg --import
echo "6EDF301256480B9B801EBA3D05A5E6DA269D9D98:6:" | gpg --import-ownertrust
SIGNING_SERVICE_NAME='Pulp_QE'
pulpcore-manager add-signing-service --class 'deb:AptReleaseSigningService' "${SIGNING_SERVICE_NAME}" /src/pulp_deb/pulp_deb/tests/functional/sign_deb_release.sh '6EDF301256480B9B801EBA3D05A5E6DA269D9D98'

Main workflow using Pulp CLI and http:

SIGNING_SERVICE_NAME='Pulp_QE'
ENTITIES_NAME='test'
REMOTE_OPTIONS='--url=https://fixtures.pulpproject.org/debian/ --distribution=ragnarok --distribution=ginnungagap --distribution=nosuite --policy=on_demand'
SIGNING_SERVICE_HREF=$(${PULP_CLI_CMD} signing-service show --name=${SIGNING_SERVICE_NAME} | jq -r .pulp_href)
REMOTE_HREF=$(${PULP_CLI_CMD} deb remote create --name=${ENTITIES_NAME} ${REMOTE_OPTIONS} | jq -r .pulp_href)
${HTTP_CMD} post ${PULP_URL}/pulp/api/v3/repositories/deb/apt/ remote=${REMOTE_HREF} name=${ENTITIES_NAME} signing_service_release_overrides:="{\"ragnarok\": \"$SIGNING_SERVICE_HREF\", \"default\": \"$SIGNING_SERVICE_HREF\"}"
${PULP_CLI_CMD} deb repository sync --name=${ENTITIES_NAME}
APT_PUBLICATION_HREF=$(${PULP_CLI_CMD} deb publication create --simple --structured --repository=${ENTITIES_NAME} | jq -r .pulp_href)
${PULP_CLI_CMD} deb distribution create --name=${ENTITIES_NAME} --base-path=${ENTITIES_NAME} --publication=${APT_PUBLICATION_HREF}

This has worked, and I think the PR can be merged as is, I do have a few closing remarks to add:

  1. Great job on adding some basic documentation to docs/feature_overview.rst and the strings used for the API docs!
  2. It looks like adding a signing_service_release_overrides = {"default": ... along with simple=True on the publication does not interact. I am fine with this, since we want to deprecate usage of simple=True anyway. (This is just something to be aware of).
  3. We should create an issue at pulp-cli-deb to add the signing_service_release_overrides and singing_service parameters to the pulp deb repository create command!

pulp_deb/app/models/__init__.py Show resolved Hide resolved
@hstct hstct mentioned this pull request Jun 5, 2023
Open
@hstct
Copy link
Contributor

hstct commented Jun 5, 2023

We should create an issue at pulp-cli-deb to add the signing_service_release_overrides and singing_service parameters to the pulp deb repository create command!

I created the issue: pulp/pulp-cli-deb#54

@hstct hstct merged commit b620904 into pulp:main Jun 5, 2023
@quba42 quba42 mentioned this pull request Jun 5, 2023
Closed
adamsanaglo pushed a commit to adamsanaglo/pulpcore that referenced this pull request Jul 13, 2023
@sdherr
Merged PR 7551598: Align with upstream vision of release signing serv…
327a037 
…ice overrides

Previously we had implemented a pulp_deb patch locally (0008) where we tied the SigningService directly to an Apt Repository or Release via foreign keys to set the "default" for the repo/release. [We submitted it upstream](pulp/pulp_deb#689), and they requested changes where instead of tying Release<->SigningService directly we instead do it via indirect reference to avoid a problem that they've had for forever where if you make any local changes to a Release then syncing from another repo creates a duplicate release. So that's what the pulp patch here is, it's kind of the second half of the 0008 patch that brings us in sync with what pulp_deb has merged upstream.

This PR also has server/cli support for setting that field so we don't have to do it via the pulp api directly, like we did last time when 0008 was first released.

Because of the database changes in pulp when we deploy this we'll have to reset the overrides on azurecore and azurecore-test:
```
pmc repo update azurecore-apt --add-release-signing-services 'bionic=legacy;xenial=legacy'
pmc repo update azurecore-test-apt --add-release-signing-services 'bionic=legacy;xenial=legacy;trusty=legacy'
```

Related work items: #16950389
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdellweg mdellweg mdellweg left review comments

@daviddavis daviddavis daviddavis left review comments

@hstct hstct hstct approved these changes

@quba42 quba42 quba42 approved these changes

Assignees
No one assigned
Labels
.feature CHANGES/<issue_number>.feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Specifying signing service at publish time is inconsistent and a bad user experience
5 participants
@sdherr @mdellweg @hstct @daviddavis @quba42