Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[FEATURE REQUEST] Verify RPM packages GPG signature on their adding to version #134

Closed
teran opened this issue Aug 16, 2024 · 0 comments · Fixed by #157
Closed

[FEATURE REQUEST] Verify RPM packages GPG signature on their adding to version #134

teran opened this issue Aug 16, 2024 · 0 comments · Fixed by #157
Assignees
@teran
Labels
archived-cli CLI related tasks enhancement New feature or request good first issue Good for newcomers
Milestone
v0.0.8

Comments

@teran
Copy link
Owner

teran commented Aug 16, 2024
edited
Loading

What is your use case?
Be closer to operations which made by yum/dnf than trivial rsync

Is your feature request related to a problem? Please describe.
Now the code mirrors yum repository into version checks only checksums defined in repomd.xml and other index files but doesn't check RPM GPG signature which have some security impact to final repository users. So to improve the security it's needed to verify GPG signatures (if possible) for RPM packages.

Describe the solution you'd like

  • If RPM package is not uploaded to blob storage yet - check signature of that package against the key provided to archived-cli via argument (if it's provided)
  • If check passes - upload the blob
  • If check fails - fail the run

Describe alternatives you've considered
up to discuss

Additional context

https://github.com/cavaliergopher/rpm have already implemented method to verify package GPG signature against the provided key, however it utilizes deprecated https://pkg.go.dev/golang.org/x/crypto/openpgp package (See https://golang.org/issue/44226 for details) so it's up to consider a way to implement that feature on something maintainable like https://github.com/ProtonMail/gopenpgp and reuse just some lower level methods from https://github.com/cavaliergopher/rpm

UPD: https://github.com/sassoftware/go-rpmutils - this library looks more fresh and maintainable, already using ProtonMail's openpgp implementation.
@teran teran added enhancement New feature or request archived-cli CLI related tasks labels Aug 16, 2024
@teran teran added this to the v0.0.8 milestone Aug 16, 2024
@teran teran added this to archived Aug 17, 2024
@teran teran added the good first issue Good for newcomers label Aug 17, 2024
@teran teran self-assigned this Aug 17, 2024
@teran teran moved this from Backlog to In progress in archived Aug 17, 2024
@teran teran mentioned this issue Aug 17, 2024
Merged
@teran teran closed this as completed in d92fac0 Aug 18, 2024
@github-project-automation github-project-automation bot moved this from In progress to Done in archived Aug 18, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@teran teran

Labels
archived-cli CLI related tasks enhancement New feature or request good first issue Good for newcomers
Projects
archived
Status: Done
Milestone
v0.0.8
Development

Successfully merging a pull request may close this issue.

Add GPG key verification for RPM packages teran/archived
1 participant
@teran