Comments (13)
@kontura This would be useful for Pulp - it's possible that the functionality is already available in librpm via python bindings, but the documentation pages for those appear to be broken currently (see: "Programming RPM with Python" on this page http://rpm.org/documentation.html)
If it is, and it's widely available (e.g. EL8), and you don't see any value in proxying the functionality, then I suppose we can close.
from createrepo_c.
It is definitely available, I found some description of the API here: https://github.com/rpm-software-management/rpm/blob/master/python/header-py.c
For example this should work:
import os, rpm
ts = rpm.TransactionSet()
fdno = os.open('/home/amatej/htop-3.2.2-1.fc39.x86_64.rpm', os.O_RDONLY)
hdr = ts.hdrFromFdno(fdno)
os.close(fdno)
print(hdr[rpm.RPMTAG_SIGPGP])
print(hdr[rpm.RPMTAG_SIGGPG])
However if it will be more convenient for you I think we can add the python getters.
I'm not an expert on rpm headers, but it appears that there are also potentially other header fields that could be used for this purpose, like maybe
dsaheader
andrsaheader
? I see them in the definition of the "--info" query format onrpm
at least. If they are necessary can you please parse them out of the header too and add python bindings?
There is a bunch of header fields related to just signatures: https://github.com/rpm-software-management/rpm/blob/master/docs/manual/tags.md#signatures-and-digests I am not sure which do you require or for what purpose but I don't think we want to add all of them to createrepo_c api.
from createrepo_c.
Question: Is there any signatures or other relevant tags (current or future) that you might be interested in @sdherr, that aren't available in the version of RPM currently present on EL8?
The tags are just constants so I'm sure they could be read anyway even if the constant doesn't have a definition in an older version of librpm (that is, the tag could be hardcoded ourselves for better compatibility). But nonetheless.
from createrepo_c.
I don't feel qualified to answer that question. Look, what I actually, truly, deep in my heart-of-hearts want, is a single method that I can call that will return THE SIGNATURE of the RPM (with python bindings). Current and future-proof. So that I can pass it off to pgp and read it.
I came up with that list of four headers by looking at what rpm -qi
does by looking at the definition of the "alias --info" in /usr/lib/rpm/rpmpopt-*
, which seems to me to say that it looks at (in turn) each of DSAHEADER
, RSAHEADER
, SIGGPG
, and SIGPGP
, and passing the first one found through a pgpsig
filter.
Now, I cannot stress enough how little I know about the internal implementation details of RPM headers. Why are there four instead of one? Beats me. Is there a 5th or 6th coming in the future? Don't know. What I actually care about, is "What is this RPM's signature?" You guys are the RPM experts, you tell me what is necessary.
from createrepo_c.
@kontura Is it generally true that all of the packages in a distro, be it Fedora X or RHEL Y, are signed with one key and have one specific signature type? I know that during beta cycles at least this is occasionally not true, but I am otherwise not certain.
And how varied are signature types across, say, EL7, EL8 and EL9?
from createrepo_c.
@kontura You are assuming that the rpm
python module is installed, which is not a given. Yes that works, if python3-rpm is installed. The point of making this available in the createrepo
python bindings is to avoid that extra dependency in environments where it is not already given and where requiring a new OS package on a diverse installation base is hard, as is the case for pulp_rpm
.
I do not care about all the possible signature fields, just those four. Or I think it would even be acceptable to only have to two that createrepo
already knows about and just needs python bindings for.
from createrepo_c.
The doc you linked was very helpful in that regard. It explained that DSAHEADER
and RSAHEADER
are signatures of the header packets, not of the body of the rpm. So for my purposes I think that's entirely optional / duplicated with SIGGPG
and SIGPGP
.
from createrepo_c.
I believe SIGPGP
and SIGGPG
are deprecated and newer versions of RPM don't output them, if I am reading this correctly. rpm-software-management/rpm#2374 (reply in thread)
The header contains metadata on the payload including a checksum of the payload, so you only need to sign the header to effectively sign the whole package, so long as the checksum of the payload is being verified too by the client (and it is). I believe DSA support is also being phased out too (same link), so that leaves RSA.
Are there anything others to be aware of? Is RSAHEADER the most preferred? Is it fairly reliable (e.g. do all packages back to, say, EL7 have them)?
from createrepo_c.
@DemiMarie Do you have any insight on these questions?
from createrepo_c.
@DemiMarie Do you have any insight on these questions?
SIGPGP
and SIGGPG
are deprecated. The DSA signature field is used for EdDSA signatures and those are not deprecated, so you need to check both.
from createrepo_c.
@DemiMarie Is it guaranteed that a RPM has one and only one signature? e.g. is it possible for an RPM to simultaneously be signed by an RSA key and an EdDSA key and have both signatures present in the header simultaneously?
from createrepo_c.
@dralley the current implementation will not produce such packages, but I am not sure if it will accept them.
from createrepo_c.
I'm happy to assume it doesn't happen, then.
from createrepo_c.
Related Issues (20)
- [1.0 breaking change] - consolidate checksum options HOT 12
- Missing argument for RepomdRecord.fill() in Python documentation.
- [FIX] Build from 'master' branch is broken HOT 3
- `_XOPEN_SOURCE` define in `src/misc.c` seems extraneous
- Drop `--database` and `--no-database`, split?/drop `sqliterepo_c` HOT 5
- Sending SIGTERM to "createrepo_c --workers 2" sometimes leads to a crash HOT 6
- `--pkglist` can't be used with non-regular files
- Parsing primary.xml error: Start tag expected, '<' not found HOT 4
- heap buffer overflow and stack buffer overflow in test suite HOT 3
- Intermittent crash in `ci-dnf-stack/dnf-behave-tests/createrepo_c/zchunk.feature` HOT 1
- Python bindings fail to add the default version for sqlite records
- Has `--deltas` option been removed? HOT 9
- Brainstorm ways to shrink RPM metadata HOT 5
- Fix the building process to drop documentation for disabled features
- Newer createrepo_c doesn't generate comps readable EL7 HOT 27
- sqlite3_enable_shared_cache HOT 1
- `modifyrepo_c` and `mergerepo_c` generate `--no-pretty` metadata by default
- createrepo_c zstd compression doesn't fill in the content size, in the frame header. Python API problems. HOT 4
- Allow parsing packages metadata without filelists HOT 2
- cr_xml_dump_int() should point to a forbidden character HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from createrepo_c.