Add support to rpm signing service

closes: #1401
pulp · Feb 7, 2025 · 89e07af · 89e07af
1 parent 5016f6a
commit 89e07af
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 3 deletions.
diff --git a/CHANGES/1401.feature b/CHANGES/1401.feature
@@ -0,0 +1 @@
+Added support to RPM signing service.
diff --git a/controllers/deployment.go b/controllers/deployment.go
@@ -559,6 +559,10 @@ func signingMetadataVolumes(resources any, storageType []string, volumes []corev
 			item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName}
 			secretItems = append(secretItems, item)
 		}
+		if DeployRpmSign(*secret) {
+			item := corev1.KeyToPath{Key: settings.RpmSigningScriptName, Path: settings.RpmSigningScriptName}
+			secretItems = append(secretItems, item)
+		}
 		volumePermissions := int32(0755)
 		signingSecretVolume := []corev1.Volume{
 			{

diff --git a/controllers/repo_manager/job.go b/controllers/repo_manager/job.go
@@ -385,6 +385,14 @@ func signingScriptContainer(pulp *repomanagerpulpprojectorgv1beta2.Pulp, scripts
 			ReadOnly:  true,
 		})
 	}
+	if controllers.DeployRpmSign(scriptsSecret) {
+		signingSecretMount = append(signingSecretMount, corev1.VolumeMount{
+			Name:      pulp.Name + "-signing-scripts",
+			MountPath: settings.SigningScriptPath + settings.RpmSigningScriptName,
+			SubPath:   settings.RpmSigningScriptName,
+			ReadOnly:  true,
+		})
+	}
 	volumeMounts = append(volumeMounts, signingSecretMount...)
 
 	// resource requirements
@@ -415,9 +423,14 @@ echo "${PULP_SIGNING_KEY_FINGERPRINT}:6" | gpg --import-ownertrust
 	}
 	if controllers.DeployAptSign(scriptsSecret) {
 		args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service apt-signing-service --class deb:AptReleaseSigningService\n"
-		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service --class deb:AptReleaseSigningService apt-signing-service " + settings.SigningScriptPath + settings.AptSigningScriptName + " " + fingerprint
+		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service apt-signing-service " + settings.SigningScriptPath + settings.AptSigningScriptName + " " + fingerprint + " --class deb:AptReleaseSigningService \n"
 		envVars = append(envVars, corev1.EnvVar{Name: "APT_SIGNING_SERVICE", Value: "apt-signing-service"})
 	}
+	if controllers.DeployRpmSign(scriptsSecret) {
+		args[0] += "/usr/local/bin/pulpcore-manager remove-signing-service rpm-signing-service --class rpm:RpmPackageSigningService\n"
+		args[0] += "/usr/local/bin/pulpcore-manager add-signing-service rpm-signing-service " + settings.SigningScriptPath + settings.RpmSigningScriptName + " " + fingerprint + " --class rpm:RpmPackageSigningService \n"
+		envVars = append(envVars, corev1.EnvVar{Name: "RPM_SIGNING_SERVICE", Value: "rpm-signing-service"})
+	}
 
 	return corev1.Container{
 		Name:            "signing-metadata",
@@ -447,6 +460,10 @@ func signingScriptJobVolumes(pulp *repomanagerpulpprojectorgv1beta2.Pulp, secret
 		item := corev1.KeyToPath{Key: settings.AptSigningScriptName, Path: settings.AptSigningScriptName}
 		secretItems = append(secretItems, item)
 	}
+	if controllers.DeployRpmSign(secret) {
+		item := corev1.KeyToPath{Key: settings.RpmSigningScriptName, Path: settings.RpmSigningScriptName}
+		secretItems = append(secretItems, item)
+	}
 
 	volumes := pulpcoreVolumes(pulp, "")
 	volumePermissions := int32(0755)

diff --git a/controllers/settings/jobs.go b/controllers/settings/jobs.go
@@ -17,6 +17,7 @@ const (
 	ContainerSigningScriptName  = "container_script.sh"
 	CollectionSigningScriptName = "collection_script.sh"
 	AptSigningScriptName        = "apt_script.sh"
+	RpmSigningScriptName        = "rpm_script.sh"
 )
 
 func MigrationJob(pulpName string) string {

diff --git a/controllers/utils.go b/controllers/utils.go
@@ -898,6 +898,12 @@ func DeployAptSign(secret corev1.Secret) bool {
 	return contains
 }
 
+// DeployRpmSign returns true if signingScript secret is defined with an rpm script
+func DeployRpmSign(secret corev1.Secret) bool {
+	_, contains := secret.Data[settings.RpmSigningScriptName]
+	return contains
+}
+
 // SetDefaultSecurityContext defines the container security configuration to be in compliance with PodSecurity "restricted:v1.24"
 func SetDefaultSecurityContext() *corev1.SecurityContext {
 	allowPrivilegeEscalation, runAsNonRoot := false, true

diff --git a/docs/configuring/metadata_signing.md b/docs/configuring/metadata_signing.md
@@ -155,11 +155,46 @@ echo { \
 EOF
 ```
 
+* example of an RPM signing script
+```bash
+$ SIGNING_SCRIPT_PATH=/tmp
+$ APT_SIGNING_SCRIPT=rpm_script.sh
+$ cat<<EOF> "$SIGNING_SCRIPT_PATH/$RPM_SIGNING_SCRIPT"
+#!/bin/bash
+
+set -e
+
+FILE_PATH=\$1
+GPG_FINGERPRINT="\$PULP_SIGNING_KEY_FINGERPRINT"
+GPG_HOME=/var/lib/pulp/.gnupg/
+GPG_BIN=/usr/bin/gpg
+
+# Make sure the gpg public key has been imported
+gpg --export -a \$GPG_FINGERPRINT > /tmp/RPM-GPG-KEY
+rpm --import /tmp/RPM-GPG-KEY
+
+rpm \
+    --define "_signature gpg" \
+    --define "_gpg_path \$GPG_HOME" \
+    --define "_gpg_name \$GPG_FINGERPRINT" \
+    --define "_gpgbin \$GPG_BIN" \
+    --define "__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u %{_gpg_name} -sbo %{__signature_filename} --digest-algo sha256 -v --pinentry-mode loopback %{__plaintext_filename}" \
+    --addsign "\$FILE_PATH" 1> /dev/null
+
+STATUS=\$?
+if [[ \$STATUS -eq 0 ]]; then
+   echo {\"rpm_package\": \"\$FILE_PATH\"}
+else
+   exit \$STATUS
+fi
+EOF
+```
+
 !!! WARNING
-    Make sure to set `collection_script.sh`, `container_script.sh`, and/or `apt_script.sh` as key names (using different names would fail operator's execution)
+    Make sure to set `collection_script.sh`, `container_script.sh`, `apt_script.sh`, and/or `rpm_script.sh` as key names (using different names would fail operator's execution)
 
 ```bash
-$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh --from-file=apt_script.sh=/tmp/apt_script.sh
+$ kubectl create secret generic signing-scripts --from-file=collection_script.sh=/tmp/collection_script.sh --from-file=container_script.sh=/tmp/container_script.sh --from-file=apt_script.sh=/tmp/apt_script.sh --from-file=rpm_script.sh=/tmp/rpm_script.sh
 ```
 
 ## Configuring Pulp CR
@@ -189,6 +224,8 @@ Signing service 'container-signing-service' has been successfully removed.
 Successfully added signing service container-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
 Signing service 'apt-signing-service' has been successfully removed.
 Successfully added signing service apt-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
+Signing service 'rpm-signing-service' has been successfully removed.
+Successfully added signing service rpm-signing-service for key 66BBFE010CF70CC92826D9AB71684D7912B09BC1.
 ```
 
 double-checking if the signing services are stored in the database:
@@ -224,6 +261,14 @@ $ kubectl exec deployment/pulp-api -- curl -suadmin:$PULP_PWD localhost:24817/pu
       "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQINBGJFjREBE...",
       "pubkey_fingerprint": "66BBFE010CF70CC92826D9AB71684D7912B09BC1",
       "script": "/var/lib/pulp/scripts/collection_script.sh"
+    },
+    {
+      "pulp_href": "/pulp/api/v3/signing-services/0194a988-684c-7dda-9b16-2bb614a8e1ba/",
+      "pulp_created": "2025-01-27T20:51:17.323038Z",
+      "name": "rpm-signing-service",
+      "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGNBGeSYcYBDADaKR4OZ+y...",
+      "pubkey_fingerprint": "66BBFE010CF70CC92826D9AB71684D7912B09BC1",
+      "script": "/var/lib/pulp/scripts/rpm_script.sh"
     }
   ]
 }