Add field to track package signing keys as labels

pulpbot · dralley · commit ba800dac510d · 2026-03-09T23:27:05.000-04:00
Assisted By: Claude Sonnet 4.6
diff --git a/CHANGES/+track-package-signing-key.feature b/CHANGES/+track-package-signing-key.feature
@@ -0,0 +1 @@
+Added a new field `signing_keys` on packages that tracks the fingerprints of keys Pulp has used to sign the package.
diff --git a/pulp_rpm/app/migrations/0070_add_rpm_signing_keys.py b/pulp_rpm/app/migrations/0070_add_rpm_signing_keys.py
@@ -0,0 +1,19 @@
+# Generated by Django 4.2.27 on 2026-02-25 14:00
+
+import django.contrib.postgres.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rpm', '0069_DATA_fix_signing_fingerprint'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='package',
+            name='signing_keys',
+            field=django.contrib.postgres.fields.ArrayField(base_field=models.TextField(), default=None, null=True, size=None),
+        ),
+    ]
diff --git a/pulp_rpm/app/models/package.py b/pulp_rpm/app/models/package.py
@@ -4,6 +4,7 @@
 
 from django.conf import settings
 from django.db import models
+from django.contrib.postgres.fields import ArrayField
 
 from pulpcore.plugin.models import Content
 from pulpcore.plugin.util import get_domain_pk
@@ -126,6 +127,9 @@ class Package(Content):
         time_file (BigInteger):
             The mtime of the package file in seconds since the epoch; this is the 'file' time
             attribute in the primary XML.
+
+        signing_keys (ArrayField):
+            List of signing key fingerprints used to sign the package.
     """
 
     PROTECTED_FROM_RECLAIM = False
@@ -205,6 +209,7 @@ class Package(Content):
 
     # not part of createrepo_c metadata
     is_modular = models.BooleanField(default=False)
+    signing_keys = ArrayField(models.TextField(), default=None, null=True)
 
     # createrepo_c treats 'nosrc' arch (opensuse specific use) as 'src' so it can seem that two
     # packages are the same when they are not. By adding 'location_href' here we can recognize this.
diff --git a/pulp_rpm/app/serializers/package.py b/pulp_rpm/app/serializers/package.py
@@ -248,6 +248,14 @@ class PackageSerializer(SingleArtifactContentUploadSerializer, ContentChecksumSe
         read_only=True,
     )
 
+    signing_keys = serializers.ListField(
+        child=serializers.CharField(),
+        help_text=_("List of signing key fingerprints used to sign this package. "),
+        allow_null=True,
+        required=False,
+        read_only=True,
+    )
+
     def __init__(self, *args, **kwargs):
         """Initializer for RpmPackageSerializer."""
 
@@ -286,6 +294,12 @@ def deferred_validate(self, data):
         data["relative_path"] = filename
         new_pkg["location_href"] = filename
         data.update(new_pkg)
+
+        if signing_key := self.context.get("signing_key"):
+            data["signing_keys"] = [signing_key]
+        else:
+            data["signing_keys"] = None
+
         return data
 
     def retrieve(self, validated_data):
@@ -335,6 +349,7 @@ class Meta:
                 "size_package",
                 "time_build",
                 "time_file",
+                "signing_keys",
             )
         )
         model = Package
diff --git a/pulp_rpm/app/tasks/signing.py b/pulp_rpm/app/tasks/signing.py
@@ -41,10 +41,10 @@ def _save_upload(uploadobj, final_package):
     final_package.flush()
 
 
-def _verify_package_fingerprint(package_file, signing_fingerprint):
-    """Verify if the packge_file is signed with signing_fingerprint or not."""
+def _verify_package_fingerprint(path, signing_fingerprint):
+    """Verify if the package at path is signed with signing_fingerprint or not."""
     completed_process = subprocess.run(
-        ("rpm", "-Kv", package_file.name),
+        ("rpm", "-Kv", path),
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE,
         text=True,
@@ -68,26 +68,40 @@ def _verify_package_fingerprint(package_file, signing_fingerprint):
     return False
 
 
-def _create_signed_artifact(signed_package_path, result):
-    if not signed_package_path.exists():
-        raise Exception(f"Signing script did not create the signed package: {result}")
-    artifact = Artifact.init_and_validate(str(signed_package_path))
-    artifact.save()
-    resource = CreatedResource(content_object=artifact)
-    resource.save()
-    return artifact
+def _update_signing_keys(package_file, keys):
+    """Return a filtered list of signing keys verified against the package file.
+
+    Verifies each key in keys against the package file and removes any that are not
+    present on the package.
+    """
+    return [key for key in (keys or []) if _verify_package_fingerprint(package_file, key)]
 
 
 def _sign_file(package_file, signing_service, signing_fingerprint):
+    """Sign a package and return the local path of the signed file."""
     result = signing_service.sign(package_file.name, pubkey_fingerprint=signing_fingerprint)
     signed_package_path = Path(result["rpm_package"])
-    return _create_signed_artifact(signed_package_path, result)
+    if not signed_package_path.exists():
+        raise Exception(f"Signing script did not create the signed package: {result}")
+    return signed_package_path
 
 
 async def _asign_file(package_file, signing_service, signing_fingerprint):
+    """Sign a package asynchronously and return the local path of the signed file."""
     result = await signing_service.asign(package_file.name, pubkey_fingerprint=signing_fingerprint)
     signed_package_path = Path(result["rpm_package"])
-    return await asyncio.to_thread(_create_signed_artifact, signed_package_path, result)
+    if not signed_package_path.exists():
+        raise Exception(f"Signing script did not create the signed package: {result}")
+    return signed_package_path
+
+
+def _save_artifact(artifact_path):
+    """Save an artifact."""
+    artifact = Artifact.init_and_validate(str(artifact_path))
+    artifact.save()
+    resource = CreatedResource(content_object=artifact)
+    resource.save()
+    return artifact
 
 
 def _sign_package(package, signing_service, signing_fingerprint):
@@ -108,7 +122,7 @@ def _sign_package(package, signing_service, signing_fingerprint):
         _save_file(artifact_file, final_package)
 
         # check if the package is already signed with our fingerprint
-        if _verify_package_fingerprint(final_package, signing_fingerprint):
+        if _verify_package_fingerprint(final_package.name, signing_fingerprint):
             return None
 
         # check if the package has been signed in the past with our fingerprint and replace
@@ -121,12 +135,19 @@ def _sign_package(package, signing_service, signing_fingerprint):
 
         # create a new signed version of the package
         log.info(f"Signing package {package.filename}.")
-        artifact = _sign_file(final_package, signing_service, signing_fingerprint)
+        signed_package_path = _sign_file(final_package, signing_service, signing_fingerprint)
+        # Compute signing keys while the signed file is still on the local filesystem.
+        signing_keys = _update_signing_keys(
+            str(signed_package_path),
+            (package.signing_keys or []) + [signing_fingerprint],
+        )
+        artifact = _save_artifact(signed_package_path)
         signed_package = package
         signed_package.pk = None
         signed_package.pulp_id = None
         signed_package.pkgId = artifact.sha256
         signed_package.checksum_type = CHECKSUM_TYPES.SHA256
+        signed_package.signing_keys = signing_keys
         signed_package.save()
         ContentArtifact.objects.create(
             artifact=artifact,
@@ -167,7 +188,10 @@ def sign_and_create(
             uploaded_package = Upload.objects.get(pk=temporary_file_pk)
             _save_upload(uploaded_package, final_package)
 
-        artifact = _sign_file(final_package, package_signing_service, signing_fingerprint)
+        signed_package_path = _sign_file(
+            final_package, package_signing_service, signing_fingerprint
+        )
+        artifact = _save_artifact(signed_package_path)
     uploaded_package.delete()
 
     # Create Package content
@@ -179,6 +203,12 @@ def sign_and_create(
     # request data like we do for a file.  Instead, we'll delete it here.
     if "upload" in data:
         del data["upload"]
+
+    # set the signing key in the context so that it gets added to the created package's
+    # signing_keys field. if this package is being created then it won't have been previously
+    # signed by Pulp.
+    context["signing_key"] = signing_fingerprint
+
     general_create(app_label, serializer_name, data=data, context=context, *args, **kwargs)
 
 
diff --git a/pulp_rpm/app/tasks/synchronizing.py b/pulp_rpm/app/tasks/synchronizing.py
@@ -1409,6 +1409,8 @@ def score_grouping(items):
                         pkg, string_cache=string_cache, tuple_cache=tuple_cache
                     )
                 )
+                # TODO: set signing_keys when we support package signing during sync
+                package.signing_keys = None
                 base_url = pkg.location_base or self.remote_url
                 url = urlpath_sanitize(base_url, package.location_href)
                 last_seen_package_name = pkg.name
diff --git a/pulp_rpm/app/viewsets/package.py b/pulp_rpm/app/viewsets/package.py
@@ -29,6 +29,11 @@ class PackageFilter(ContentFilter):
 
     sha256 = CharFilter(field_name="_artifacts__sha256")
     filename = CharFilter(field_name="content_artifact__relative_path")
+    signing_key = CharFilter(method="filter_signing_key")
+
+    def filter_signing_key(self, queryset, name, value):
+        """Filter packages that have been signed with a given key fingerprint."""
+        return queryset.filter(signing_keys__contains=[value])
 
     class Meta:
         model = Package
diff --git a/pulp_rpm/tests/functional/api/test_package_signing.py b/pulp_rpm/tests/functional/api/test_package_signing.py
@@ -66,6 +66,7 @@ def test_sign_package_on_upload(
     signing_gpg_extra,
     rpm_package_signing_service,
     rpm_package_api,
+    rpm_repository_api,
     rpm_repository_factory,
     rpm_publication_factory,
     rpm_package_factory,
@@ -102,17 +103,29 @@ def test_sign_package_on_upload(
             repository=repository.pulp_href,
         )
         package_href = monitor_task(upload_response.task).created_resources[2]
-        pkg_location_href = rpm_package_api.read(package_href).location_href
+        package = rpm_package_api.read(package_href)
+        assert package.signing_keys == [fingerprint]
 
         # Verify that the final served package is signed
         publication = rpm_publication_factory(repository=repository.pulp_href)
         distribution = rpm_distribution_factory(publication=publication.pulp_href)
         downloaded_package = tmp_path / "package.rpm"
         downloaded_package.write_bytes(
-            download_content_unit(distribution.base_path, get_package_repo_path(pkg_location_href))
+            download_content_unit(
+                distribution.base_path, get_package_repo_path(package.location_href)
+            )
         )
         assert rpm_tool.verify_signature(downloaded_package)
 
+        # Verify signing_key filter
+        repository = rpm_repository_api.read(repository.pulp_href)
+        assert (
+            rpm_package_api.list(
+                repository_version=repository.latest_version_href, signing_key=fingerprint
+            ).count
+            == 1
+        )
+
 
 @pytest.fixture
 def pulpcore_chunked_file_factory(tmp_path):
@@ -226,22 +239,25 @@ def test_sign_chunked_package_on_upload(
             repository=repository.pulp_href,
         )
         package_href = monitor_task(upload_response.task).created_resources[2]
-        pkg_location_href = rpm_package_api.read(package_href).location_href
+        package = rpm_package_api.read(package_href)
+        assert package.signing_keys == [fingerprint]
 
         # Verify that the final served package is signed
         publication = rpm_publication_factory(repository=repository.pulp_href)
         distribution = rpm_distribution_factory(publication=publication.pulp_href)
         downloaded_package = tmp_path / "package.rpm"
         downloaded_package.write_bytes(
-            download_content_unit(distribution.base_path, get_package_repo_path(pkg_location_href))
+            download_content_unit(
+                distribution.base_path, get_package_repo_path(package.location_href)
+            )
         )
         assert rpm_tool.verify_signature(downloaded_package)
 
 
 def test_signed_repo_modify(
     tmp_path,
+    delete_orphans_pre,
     monitor_task,
-    pulpcore_bindings,
     download_content_unit,
     signing_gpg_metadata,
     rpm_package_signing_service,
@@ -253,7 +269,6 @@ def test_signed_repo_modify(
     rpm_distribution_factory,
 ):
     """Ensure packages added via modify are signed before distribution."""
-    monitor_task(pulpcore_bindings.OrphansCleanupApi.cleanup({"orphan_protection_time": 0}).task)
 
     gpg, fingerprint, _ = signing_gpg_metadata
 
@@ -272,6 +287,7 @@ def test_signed_repo_modify(
     )
 
     created_package = rpm_package_factory(url=RPM_UNSIGNED_URL)
+    assert created_package.signing_keys is None
     package_href = created_package.pulp_href
     modify_response = rpm_repository_api.modify(
         repository.pulp_href, {"add_content_units": [package_href]}
@@ -282,6 +298,8 @@ def test_signed_repo_modify(
     signed_package = rpm_package_api.list(
         repository_version=repository.latest_version_href
     ).results[0]
+    assert signed_package.pulp_href != created_package.pulp_href
+    assert signed_package.signing_keys == [fingerprint]
     assert sorted(task_result.created_resources) == sorted(
         [repository.latest_version_href, signed_package.pulp_href, signed_package.artifact]
     )
@@ -311,8 +329,8 @@ def test_signed_repo_modify(
 
 
 def test_already_signed_package(
+    delete_orphans_pre,
     monitor_task,
-    pulpcore_bindings,
     signing_gpg_metadata,
     rpm_package_signing_service,
     rpm_repository_factory,
@@ -321,7 +339,6 @@ def test_already_signed_package(
     rpm_package_api,
 ):
     """Don't sign a package if it's already signed with our key."""
-    monitor_task(pulpcore_bindings.OrphansCleanupApi.cleanup({"orphan_protection_time": 0}).task)
 
     _, fingerprint, _ = signing_gpg_metadata
 
@@ -348,6 +365,7 @@ def test_already_signed_package(
         repository_version=repo_one.latest_version_href
     ).results
     signed_package_href = repo_one_packages[0].pulp_href
+    assert repo_one_packages[0].signing_keys == [fingerprint]
     assert len(repo_one_packages) == 1
     assert sorted(task_result.created_resources) == sorted(
         [signed_package_href, repo_one_packages[0].artifact, repo_one.latest_version_href]
diff --git a/pulp_rpm/tests/functional/constants.py b/pulp_rpm/tests/functional/constants.py
@@ -307,6 +307,7 @@
     "time_file": 1627056000,
     "url": "http://bobloblaw.com",
     "version": "2.3.4",
+    "signing_keys": None,
 }
 
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Added a new field `signing_keys` on packages that tracks the fingerprints of keys Pulp has used to sign the package.
Original file line number	Diff line number	Diff line change
`@@ -1409,6 +1409,8 @@ def score_grouping(items):`
`1409`	`1409`	`pkg, string_cache=string_cache, tuple_cache=tuple_cache`
`1410`	`1410`	`)`
`1411`	`1411`	`)`
	`1412`	`+ # TODO: set signing_keys when we support package signing during sync`
	`1413`	`+ package.signing_keys = None`
`1412`	`1414`	`base_url = pkg.location_base or self.remote_url`
`1413`	`1415`	`url = urlpath_sanitize(base_url, package.location_href)`
`1414`	`1416`	`last_seen_package_name = pkg.name`
Original file line number	Diff line number	Diff line change
`@@ -307,6 +307,7 @@`
`307`	`307`	`"time_file": 1627056000,`
`308`	`308`	`"url": "http://bobloblaw.com",`
`309`	`309`	`"version": "2.3.4",`
	`310`	`+ "signing_keys": None,`
`310`	`311`	`}`
`311`	`312`
`312`	`313`