pulp · dralley · Mar 21, 2026 · Mar 20, 2026
diff --git a/CHANGES/+dont-load-file-digests.misc b/CHANGES/+dont-load-file-digests.misc
@@ -0,0 +1 @@
+Set a flag during RPM parsing to ensure we don't load file digests.
diff --git a/pulp_rpm/app/constants.py b/pulp_rpm/app/constants.py
@@ -1,4 +1,5 @@
 from types import SimpleNamespace
+import createrepo_c as cr
 
 # metadata compression types supported
 COMPRESSION_TYPES = SimpleNamespace(
@@ -51,6 +52,8 @@
     (CHECKSUM_TYPES.SHA512, CHECKSUM_TYPES.SHA512),
 )
 
+CR_HEADER_FLAGS = cr.HDRR_NOFILEDIGESTS
+
 ALLOWED_CHECKSUM_ERROR_MSG = """Checksum must be one of the allowed checksum types.
 You can adjust these with the 'ALLOWED_CONTENT_CHECKSUMS' setting."""
 

diff --git a/pulp_rpm/app/serializers/package.py b/pulp_rpm/app/serializers/package.py
@@ -21,6 +21,7 @@
 from tempfile import NamedTemporaryFile
 from pulpcore.plugin.util import get_domain_pk
 
+from pulp_rpm.app.constants import CR_HEADER_FLAGS
 from pulp_rpm.app.models import Package
 from pulp_rpm.app.shared_utils import format_nvra, read_crpackage_from_artifact
 
@@ -429,7 +430,9 @@ def validate(self, data):
         try:
             if uploaded_file:
                 cr_object = cr.package_from_rpm(
-                    uploaded_file.file.name, changelog_limit=settings.KEEP_CHANGELOG_LIMIT
+                    uploaded_file.file.name,
+                    changelog_limit=settings.KEEP_CHANGELOG_LIMIT,
+                    header_reading_flags=CR_HEADER_FLAGS,
                 )
                 new_pkg = Package.createrepo_to_dict(cr_object)
             elif upload:
@@ -446,7 +449,9 @@ def validate(self, data):
 
                 # Now we have a file, read metadata from it
                 cr_object = cr.package_from_rpm(
-                    temp_file.name, changelog_limit=settings.KEEP_CHANGELOG_LIMIT
+                    temp_file.name,
+                    changelog_limit=settings.KEEP_CHANGELOG_LIMIT,
+                    header_reading_flags=CR_HEADER_FLAGS,
                 )
                 new_pkg = Package.createrepo_to_dict(cr_object)
 

diff --git a/pulp_rpm/app/shared_utils.py b/pulp_rpm/app/shared_utils.py
@@ -10,7 +10,10 @@
 from django.conf import settings
 from django.utils.dateparse import parse_datetime
 from importlib_resources import files
+
 from pulpcore.plugin.exceptions import InvalidSignatureError
+
+from pulp_rpm.app.constants import CR_HEADER_FLAGS
 from pulp_rpm.app.rpm_version import RpmVersion
 
 
@@ -97,7 +100,9 @@ def read_crpackage_from_artifact(artifact, working_dir="."):
         shutil.copyfileobj(artifact_file, temp_file)
         temp_file.flush()
         cr_pkginfo = cr.package_from_rpm(
-            temp_file.name, changelog_limit=settings.KEEP_CHANGELOG_LIMIT
+            temp_file.name,
+            changelog_limit=settings.KEEP_CHANGELOG_LIMIT,
+            header_reading_flags=CR_HEADER_FLAGS,
         )
 
     artifact_file.close()

diff --git a/pulp_rpm/app/tasks/signing.py b/pulp_rpm/app/tasks/signing.py
@@ -23,7 +23,6 @@
 from pulp_rpm.app.models.package import Package
 from pulp_rpm.app.models.repository import RpmRepository
 
-
 log = logging.getLogger(__name__)
 
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -26,7 +26,7 @@ classifiers = [
 ]
 requires-python = ">=3.11"
 dependencies = [
-    "createrepo_c~=1.2.1",
+    "createrepo_c~=1.2.3",
     "django_readonly_field~=1.1.1",
     "jsonschema>=4.6,<5.0",
     "libcomps>=0.1.23.post1,<0.2",
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Set a flag during RPM parsing to ensure we don't load file digests.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -23,7 +23,6 @@
		from pulp_rpm.app.models.package import Package
		from pulp_rpm.app.models.repository import RpmRepository


		log = logging.getLogger(__name__)


Expand Down