Fix package metadata fields not updated after signing

daviddavis · daviddavis · commit 6563826a0bfb · 2026-03-20T15:41:03.000Z
When creating a signed copy of a package, all RPM metadata fields are now refreshed from the signed file using createrepo_c, ensuring size_package, rpm_header_start, rpm_header_end, time_file, and other fields stay consistent. Fixes #4383 Assisted By: Claude Opus 4.6
diff --git a/CHANGES/4383.bugfix b/CHANGES/4383.bugfix
@@ -0,0 +1 @@
+Updated package signing to refresh all RPM metadata fields from the signed package file, ensuring size, header offsets, and other fields stay consistent after signing.
diff --git a/pulp_rpm/app/tasks/signing.py b/pulp_rpm/app/tasks/signing.py
@@ -5,6 +5,7 @@
 from pathlib import Path
 from tempfile import NamedTemporaryFile
 
+import createrepo_c as cr
 from django.conf import settings
 
 from pulpcore.plugin.models import (
@@ -132,10 +133,15 @@ def _sign_package(package, signing_service, signing_fingerprint):
             str(signed_package_path),
             (package.signing_keys or []) + [signing_fingerprint],
         )
+        # Read all updated metadata from the signed RPM
+        cr_pkg = cr.package_from_rpm(str(signed_package_path))
+        new_pkg_dict = Package.createrepo_to_dict(cr_pkg)
         artifact = _save_artifact(signed_package_path)
         signed_package = package
         signed_package.pk = None
         signed_package.pulp_id = None
+        for field, value in new_pkg_dict.items():
+            setattr(signed_package, field, value)
         signed_package.pkgId = artifact.sha256
         signed_package.checksum_type = CHECKSUM_TYPES.SHA256
         signed_package.signing_keys = signing_keys
diff --git a/pulp_rpm/tests/functional/api/test_package_signing.py b/pulp_rpm/tests/functional/api/test_package_signing.py
@@ -300,6 +300,7 @@ def test_signed_repo_modify(
     ).results[0]
     assert signed_package.pulp_href != created_package.pulp_href
     assert signed_package.signing_keys == [fingerprint]
+    assert signed_package.size_package != created_package.size_package
     assert sorted(task_result.created_resources) == sorted(
         [repository.latest_version_href, signed_package.pulp_href, signed_package.artifact]
     )

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Updated package signing to refresh all RPM metadata fields from the signed package file, ensuring size, header offsets, and other fields stay consistent after signing.`
Original file line number	Diff line number	Diff line change
`@@ -300,6 +300,7 @@ def test_signed_repo_modify(`
`300`	`300`	`).results[0]`
`301`	`301`	`assert signed_package.pulp_href != created_package.pulp_href`
`302`	`302`	`assert signed_package.signing_keys == [fingerprint]`
	`303`	`+ assert signed_package.size_package != created_package.size_package`
`303`	`304`	`assert sorted(task_result.created_resources) == sorted(`
`304`	`305`	`[repository.latest_version_href, signed_package.pulp_href, signed_package.artifact]`
`305`	`306`	`)`