Add support for package signing#1369
Open
daviddavis wants to merge 7 commits intopulp:mainfrom
Open
Conversation
3 tasks
daviddavis
force-pushed
the
package-signing
branch
3 times, most recently
from
7e3139a to
ba39a95
Compare
daviddavis
force-pushed
the
package-signing
branch
5 times, most recently
from
7f649ce to
9f3d131
Compare
daviddavis
force-pushed
the
package-signing
branch
from
a87e82d to
4ca1703
Compare
daviddavis
commented
Jan 2, 2026
daviddavis
force-pushed
the
package-signing
branch
6 times, most recently
from
10576a3 to
9a98cf2
Compare
daviddavis
force-pushed
the
package-signing
branch
2 times, most recently
from
fc6bbd7 to
8964c59
Compare
daviddavis
force-pushed
the
package-signing
branch
2 times, most recently
from
5298981 to
c2ba8b6
Compare
daviddavis
force-pushed
the
package-signing
branch
2 times, most recently
from
65cbe36 to
05ef87e
Compare
Contributor
Author
|
Here are the Debian docs on signing packages: https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html#check-pkg-sign Here's our own docs about how to manually verify package signatures: This doc has a bit more info including how to configure dpkg to verify signatures: https://blog.packagecloud.io/how-to-gpg-sign-and-verify-deb-packages-and-apt-repositories/ Here's an example package that is signed: https://packages.microsoft.com/repos/code/pool/main/c/code/code_1.113.0-1774364744_amd64.deb Note the signature (_gpgorigin) in the deb package: |
daviddavis
force-pushed
the
package-signing
branch
6 times, most recently
from
cfde638 to
236be34
Compare
daviddavis
force-pushed
the
package-signing
branch
9 times, most recently
from
4a62c62 to
dfde87c
Compare
Collaborator
|
I am afraid there are now merge conflicts due to the new linting. It is mostly rearranging of import statements. I hope they are simple to resolve. |
Contributor
Author
|
No worries. I am at least partly to blame I think. |
Assisted By: GPT-5.1-Codex fixes pulp#1300
Assisted By: GPT-5.1-Codex fixes pulp#1300
Add support for release overrides to signed_add_and_remove
Assisted By: Claude Sonnet 4.5
Switch package_signing_fingerprint fields from raw 40-char hex strings to a prefixed format (e.g. 'v4:<hex>' or 'keyid:<hex>'). This allows the signing system to distinguish between fingerprint types. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add an ArrayField to BasePackage (Package and InstallerPackage) that records which key fingerprints were used to sign the package. The field is read-only, null by default, and populated with a fingerprint when a package is signed via upload or repository modify. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
daviddavis
force-pushed
the
package-signing
branch
from
dfde87c to
90caeac
Compare
Previously, we were checking package signatures against the package signing service's key fingerprint to see if they were already signed by the repo's package signing service. Instead the check should be using the repo's package signing fingerprint. For this fix, we extract the signature and use `gpg --list-packets` to find the package's fingerprint, which is compared against the repo fingerprint. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
daviddavis
force-pushed
the
package-signing
branch
from
90caeac to
4fded08
Compare
Contributor
Author
|
@quba42 I updated this PR and it should be ready for review again. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #1300