Update signing key fields to include a version prefix

Assisted By: Claude Opus 4.6

Author: daviddavis

CHANGES/+signing-fingerprint-prefix.feature

@@ -0,0 +1,3 @@
+Signing fingerprints now use a versioned prefix format (e.g. `v4:<hex>`, `keyid:<hex>`) for
+`package_signing_fingerprint` on repositories and `signing_keys` on packages. The repository
+serializer validates the format on input.

pulp_rpm/app/migrations/0070_add_rpm_signing_keys.py

@@ -5,15 +5,26 @@
 
 
 class Migration(migrations.Migration):
-
     dependencies = [
-        ('rpm', '0069_DATA_fix_signing_fingerprint'),
+        ("rpm", "0069_DATA_fix_signing_fingerprint"),
     ]
 
     operations = [
         migrations.AddField(
-            model_name='package',
-            name='signing_keys',
-            field=django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), default=None, null=True, size=None),
+            model_name="package",
+            name="signing_keys",
+            field=django.contrib.postgres.fields.ArrayField(
+                base_field=models.TextField(), default=None, null=True, size=None
+            ),
+        ),
+        migrations.AlterField(
+            model_name="rpmpackagesigningresult",
+            name="package_signing_fingerprint",
+            field=models.TextField(),
+        ),
+        migrations.AlterField(
+            model_name="rpmrepository",
+            name="package_signing_fingerprint",
+            field=models.TextField(null=True),
         ),
     ]

pulp_rpm/app/models/content.py

@@ -37,7 +37,7 @@ def sign(
         Args:
             filename: The absolute path to the package to be signed.
             env_vars: (optional) Dict of env_vars to be passed to the signing script.
-            pubkey_fingerprint: The V4 fingerprint that correlates with the private key to use.
+            pubkey_fingerprint: The raw fingerprint that correlates with the private key to use.
         """
         if not pubkey_fingerprint:
             raise ValueError("A pubkey_fingerprint must be provided.")
@@ -87,16 +87,16 @@ class RpmPackageSigningResult(BaseModel):
         original_package_sha256 (String):
             The sha256 digest of the original package artifact.
         package_signing_fingerprint (String):
-            The fingerprint used to sign the package. This value is copied from the repo's
-            package_signing_fingerprint field.
+            The prefixed fingerprint used to sign the package (e.g. 'v4:<hex>').
+            This value is copied from the repo's package_signing_fingerprint field.
 
     Relations:
         result_package (ForeignKey):
             The resulting package that was signed by @package_signing_fingerprint.
     """
 
     original_package_sha256 = models.TextField(max_length=64)
-    package_signing_fingerprint = models.TextField(max_length=40)
+    package_signing_fingerprint = models.TextField()
     result_package = models.ForeignKey(Content, on_delete=models.CASCADE)
 
     class Meta:

pulp_rpm/app/models/repository.py

@@ -208,7 +208,8 @@ class RpmRepository(Repository, AutoAddObjPermsMixin):
         package_signing_service (RpmPackageSigningService):
             Signing service to be used on package signing operations related to this repository.
         package_signing_fingerprint (String):
-            The V4 fingerprint (160 bits) to be used by @package_signing_service.
+            The fingerprint to be used by @package_signing_service.
+            Format: 'v<N>:<hex-fingerprint>' or 'keyid:<16-hex>'.
         repo_config (JSON): repo configuration that will be served by distribution
         compression_type(pulp_rpm.app.constants.COMPRESSION_TYPES):
             Compression type to use for metadata files.
@@ -238,7 +239,7 @@ class RpmRepository(Repository, AutoAddObjPermsMixin):
     package_signing_service = models.ForeignKey(
         RpmPackageSigningService, on_delete=models.SET_NULL, null=True
     )
-    package_signing_fingerprint = models.TextField(null=True, max_length=40)
+    package_signing_fingerprint = models.TextField(null=True)
     last_sync_details = models.JSONField(default=dict)
     retain_package_versions = models.PositiveIntegerField(default=0)
 

pulp_rpm/app/serializers/package.py

@@ -22,6 +22,7 @@
 from pulpcore.plugin.util import get_domain_pk
 
 from pulp_rpm.app.constants import CR_HEADER_FLAGS
+from pulpcore.plugin.serializers import PgpKeyFingerprintField
 from pulp_rpm.app.models import Package
 from pulp_rpm.app.shared_utils import format_nvra, read_crpackage_from_artifact
 
@@ -250,7 +251,7 @@ class PackageSerializer(SingleArtifactContentUploadSerializer, ContentChecksumSe
     )
 
     signing_keys = serializers.ListField(
-        child=serializers.CharField(),
+        child=PgpKeyFingerprintField(),
         help_text=_("List of signing key fingerprints used to sign this package. "),
         allow_null=True,
         required=False,

pulp_rpm/app/serializers/repository.py

@@ -41,6 +41,7 @@
     RpmRepository,
     UlnRemote,
 )
+from pulpcore.plugin.serializers import PgpKeyFingerprintField
 from pulp_rpm.app.schema import COPY_CONFIG_SCHEMA
 from urllib.parse import urlparse
 from textwrap import dedent
@@ -87,12 +88,12 @@ class RpmRepositorySerializer(RepositorySerializer):
         required=False,
         allow_null=True,
     )
-    package_signing_fingerprint = serializers.CharField(
+    package_signing_fingerprint = PgpKeyFingerprintField(
         help_text=_(
-            "The pubkey V4 fingerprint (160 bits) to be passed to the package signing service."
-            "The signing service will use that on signing operations related to this repository."
+            "The pubkey fingerprint to be passed to the package signing service. "
+            "Format: 'v<N>:<hex-fingerprint>' or 'keyid:<16-hex-char>'. "
+            "Example: 'v4:ABCDEF1234567890ABCDEF1234567890ABCDEF12'."
         ),
-        max_length=40,
         required=False,
         allow_null=True,
         default=None,

pulp_rpm/app/tasks/signing.py

@@ -22,7 +22,6 @@
 from pulp_rpm.app.models.content import RpmPackageSigningResult, RpmPackageSigningService
 from pulp_rpm.app.models.package import Package
 from pulp_rpm.app.models.repository import RpmRepository
-
 log = logging.getLogger(__name__)
 
 
@@ -54,14 +53,16 @@ def _verify_package_fingerprint(path, signing_fingerprint):
             f"{completed_process.stderr}."
         )
 
+    raw_fingerprint = signing_fingerprint.split(":", 1)[1]
+
     # check for `key ID` followed by a string of hex digits
     key_ids = re.findall(r"key ID ([0-9A-Fa-f]+)", completed_process.stdout, re.IGNORECASE)
     # check for `key fingerprint:` followed by a string of hex digits
     fingerprints = re.findall(
         r"key fingerprint:\s*([0-9A-Fa-f]+)", completed_process.stdout, re.IGNORECASE
     )
     for candidate in key_ids + fingerprints:
-        if signing_fingerprint.lower().endswith(candidate.lower()):
+        if raw_fingerprint.upper().endswith(candidate.upper()):
             return True
 
     return False
@@ -78,7 +79,8 @@ def _update_signing_keys(package_file, keys):
 
 def _sign_file(package_file, signing_service, signing_fingerprint):
     """Sign a package and return the local path of the signed file."""
-    result = signing_service.sign(package_file.name, pubkey_fingerprint=signing_fingerprint)
+    raw_fingerprint = signing_fingerprint.split(":", 1)[1]
+    result = signing_service.sign(package_file.name, pubkey_fingerprint=raw_fingerprint)
     signed_package_path = Path(result["rpm_package"])
     if not signed_package_path.exists():
         raise Exception(f"Signing script did not create the signed package: {result}")

pulp_rpm/tests/functional/api/test_package_signing.py

@@ -9,7 +9,12 @@
 from pulpcore.exceptions.validation import InvalidSignatureError
 
 from pulp_rpm.app.shared_utils import RpmTool
-from pulp_rpm.tests.functional.constants import RPM_PACKAGE_FILENAME, RPM_UNSIGNED_URL
+from pulp_rpm.tests.functional.constants import (
+    RPM_PACKAGE_FILENAME,
+    RPM_PACKAGE_FILENAME2,
+    RPM_UNSIGNED_URL,
+    RPM_UNSIGNED_URL2,
+)
 from pulp_rpm.tests.functional.utils import get_package_repo_path
 
 
@@ -94,17 +99,18 @@ def test_sign_package_on_upload(
     # Upload Package to Repository
     # The same file is uploaded, but signed with different keys each time
     for fingerprint in fingerprint_set:
+        prefixed_fingerprint = f"v4:{fingerprint}"
         repository = rpm_repository_factory(
             package_signing_service=rpm_package_signing_service.pulp_href,
-            package_signing_fingerprint=fingerprint,
+            package_signing_fingerprint=prefixed_fingerprint,
         )
         upload_response = rpm_package_api.create(
             file=str(file_to_upload.absolute()),
             repository=repository.pulp_href,
         )
         package_href = monitor_task(upload_response.task).created_resources[2]
         package = rpm_package_api.read(package_href)
-        assert package.signing_keys == [fingerprint]
+        assert package.signing_keys == [prefixed_fingerprint]
 
         # Verify that the final served package is signed
         publication = rpm_publication_factory(repository=repository.pulp_href)
@@ -121,7 +127,7 @@ def test_sign_package_on_upload(
         repository = rpm_repository_api.read(repository.pulp_href)
         assert (
             rpm_package_api.list(
-                repository_version=repository.latest_version_href, signing_key=fingerprint
+                repository_version=repository.latest_version_href, signing_key=prefixed_fingerprint
             ).count
             == 1
         )
@@ -216,17 +222,18 @@ def test_sign_chunked_package_on_upload(
     rpm_tool.import_pubkey_string(gpg_a.pubkey)
     rpm_tool.import_pubkey_string(gpg_b.pubkey)
 
-    file_to_upload = tmp_path / RPM_PACKAGE_FILENAME
-    file_to_upload.write_bytes(requests.get(RPM_UNSIGNED_URL).content)
+    file_to_upload = tmp_path / RPM_PACKAGE_FILENAME2
+    file_to_upload.write_bytes(requests.get(RPM_UNSIGNED_URL2).content)
     with pytest.raises(InvalidSignatureError, match="The package is not signed: .*"):
         rpm_tool.verify_signature(file_to_upload)
 
     # Upload Package to Repository
     # The same file is uploaded, but signed with different keys each time
     for fingerprint in fingerprint_set:
+        prefixed_fingerprint = f"v4:{fingerprint}"
         repository = rpm_repository_factory(
             package_signing_service=rpm_package_signing_service.pulp_href,
-            package_signing_fingerprint=fingerprint,
+            package_signing_fingerprint=prefixed_fingerprint,
         )
         file_chunks_data = pulpcore_chunked_file_factory(file_to_upload)
         size = file_chunks_data["size"]
@@ -240,7 +247,7 @@ def test_sign_chunked_package_on_upload(
         )
         package_href = monitor_task(upload_response.task).created_resources[2]
         package = rpm_package_api.read(package_href)
-        assert package.signing_keys == [fingerprint]
+        assert package.signing_keys == [prefixed_fingerprint]
 
         # Verify that the final served package is signed
         publication = rpm_publication_factory(repository=repository.pulp_href)
@@ -271,6 +278,7 @@ def test_signed_repo_modify(
     """Ensure packages added via modify are signed before distribution."""
 
     gpg, fingerprint, _ = signing_gpg_metadata
+    prefixed_fingerprint = f"v4:{fingerprint}"
 
     rpm_tool = RpmTool(tmp_path)
     rpm_tool.import_pubkey_string(gpg.export_keys(fingerprint))
@@ -283,7 +291,7 @@ def test_signed_repo_modify(
 
     repository = rpm_repository_factory(
         package_signing_service=rpm_package_signing_service.pulp_href,
-        package_signing_fingerprint=fingerprint,
+        package_signing_fingerprint=prefixed_fingerprint,
     )
 
     created_package = rpm_package_factory(url=RPM_UNSIGNED_URL)
@@ -299,7 +307,7 @@ def test_signed_repo_modify(
         repository_version=repository.latest_version_href
     ).results[0]
     assert signed_package.pulp_href != created_package.pulp_href
-    assert signed_package.signing_keys == [fingerprint]
+    assert signed_package.signing_keys == [prefixed_fingerprint]
     assert signed_package.time_file != created_package.time_file
     assert sorted(task_result.created_resources) == sorted(
         [repository.latest_version_href, signed_package.pulp_href, signed_package.artifact]
@@ -342,14 +350,15 @@ def test_already_signed_package(
     """Don't sign a package if it's already signed with our key."""
 
     _, fingerprint, _ = signing_gpg_metadata
+    prefixed_fingerprint = f"v4:{fingerprint}"
 
     repo_one = rpm_repository_factory(
         package_signing_service=rpm_package_signing_service.pulp_href,
-        package_signing_fingerprint=fingerprint,
+        package_signing_fingerprint=prefixed_fingerprint,
     )
     repo_two = rpm_repository_factory(
         package_signing_service=rpm_package_signing_service.pulp_href,
-        package_signing_fingerprint=fingerprint,
+        package_signing_fingerprint=prefixed_fingerprint,
     )
 
     created_package = rpm_package_factory(url=RPM_UNSIGNED_URL)
@@ -366,7 +375,7 @@ def test_already_signed_package(
         repository_version=repo_one.latest_version_href
     ).results
     signed_package_href = repo_one_packages[0].pulp_href
-    assert repo_one_packages[0].signing_keys == [fingerprint]
+    assert repo_one_packages[0].signing_keys == [prefixed_fingerprint]
     assert len(repo_one_packages) == 1
     assert sorted(task_result.created_resources) == sorted(
         [signed_package_href, repo_one_packages[0].artifact, repo_one.latest_version_href]
@@ -402,7 +411,7 @@ def test_signed_repo_rejects_on_demand_content(
     _, fingerprint, _ = signing_gpg_metadata
     destination_repo = rpm_repository_factory(
         package_signing_service=rpm_package_signing_service.pulp_href,
-        package_signing_fingerprint=fingerprint,
+        package_signing_fingerprint=f"v4:{fingerprint}",
     )
 
     packages = rpm_package_api.list(repository_version=source_repo.latest_version_href).results

pulp_rpm/tests/functional/constants.py

@@ -365,6 +365,9 @@
 RPM_UNSIGNED_URL = urljoin(RPM_UNSIGNED_FIXTURE_URL, RPM_PACKAGE_FILENAME)
 """The path to a single unsigned RPM package."""
 
+RPM_UNSIGNED_URL2 = urljoin(RPM_UNSIGNED_FIXTURE_URL, RPM_PACKAGE_FILENAME2)
+"""The path to a second single unsigned RPM package."""
+
 RPM_UPDATED_UPDATEINFO_FIXTURE_URL = urljoin(PULP_FIXTURES_BASE_URL, "rpm-updated-updateinfo/")
 """The URL to a repository containing UpdateRecords (Advisory) with the same IDs
 as the ones in the standard repositories, but with different metadata.

pulp_rpm/tests/unit/test_signing.py

@@ -18,7 +18,7 @@ def fake_run(*args, **kwargs):
 
     monkeypatch.setattr(subprocess, "run", fake_run)
     package = SimpleNamespace(name=str(tmp_path / "example.rpm"))
-    assert _verify_package_fingerprint(package, "c6e7f081cf80e13146676e88829b606631645531")
+    assert _verify_package_fingerprint(package, "v4:C6E7F081CF80E13146676E88829B606631645531")
 
 
 def test_verify_package_fingerprint_accepts_long_key_id(monkeypatch, tmp_path):
@@ -35,4 +35,4 @@ def fake_run(*args, **kwargs):
 
     monkeypatch.setattr(subprocess, "run", fake_run)
     package = SimpleNamespace(name=str(tmp_path / "example.rpm"))
-    assert _verify_package_fingerprint(package, "999f7cbf38ab71f4")
+    assert _verify_package_fingerprint(package, "keyid:999F7CBF38AB71F4")