Configure Checksum Handling¶

pulp_deb supports the following checksum algorithms: MD5, SHA-1, SHA-256, and SHA-512. However, only algorithms that are present in the ALLOWED_CONTENT_CHECKSUMS setting will actually be used.

Warning

Starting with pulpcore version 3.11, pulpcore will remove md5 and sha1 from the list of ALLOWED_CONTENT_CHECKSUMS by default. At that point, those checksums will no longer be available for use by the pulp_deb plugin, unless users explicitly opt back in. Without opt in, the pulp_deb plugin will be unable to include the relevant metadata fields (MD5Sum, and SHA1) in any metadata files (such as release files and package indecies), published by the plugin’s APT publisher. Since it is almost universal practice within the Debian ecosystem to publish MD5 in particular, there is no telling what might break without it. As a result, it is recommended most pulp_deb users opt in to at least MD5. If you are unable to enable MD5 for compliance reasons, or if you are feeling adventurous, you are welcome to put the claim that MD5 is merely “highly recommended” to the test.

See the release file format description in the Debian Wiki for more information.

Background: What are the checksums used for?¶

APT repository metadata files (release files and package indecies) will typically include several checksums for all files that they reference. During synchronization, pulp_deb will check the downloaded files against the checksums provided (so long as the checksum type is one of the supported algorithms and is present in the ALLOWED_CONTENT_CHECKSUMS setting). Together with a valid (and trusted) release file signature this will guarantee the integrity of the synchronized repository.

During publication, the APT publisher will include any supported (and permitted) checksumtypes in any metadata files it publishes.

Warning

While the APT publisher will respect the ALLOWED_CONTENT_CHECKSUMS setting, the verbatim publisher will publish the upstream metadata files verbatim (the exact same metadata file that was synchronized). As a result, the verbatim publisher is totally independent of (and does not respect) the ALLOWED_CONTENT_CHECKSUMS setting. If your policy prohibits the presence of certain checksum types, either do not use the verbatim publisher, or only synchronize repositories that are already compliant with your policy.

Opting in to MD5 and/or SHA1¶

Note

Up to pulpcore version 3.11 all supported checksums were enabled by default. In addition all pulp_deb versions compatible with pulpcore up to 3.11 simply break if the user actively disables any of the checksum types supported by the plugin.

To opt in to MD5 and SHA1 checksum handling users simply need to manually configure the ALLOWED_CONTENT_CHECKSUMS setting in the Pulp configuration file (normally found at /etc/pulp/settings.py).

See the pulpcore configuration documentation for more information on configuration files and look for the section on ALLOWED_CONTENT_CHECKSUMS in the pulpcore settings documentation for more information on this setting.

Once you have updated your configuration file you will likely need to halt your Pulp instance, and then run the following command to ensure your DB is made consistent with your ALLOWED_CONTENT_CHECKSUMS setting:

pulpcore-manager handle-artifact-checksums

Note

Missing checksums will need to be recalculated for all your artifacts which can take some time. If you have a missmatch between your configured ALLOWED_CONTENT_CHECKSUMS setting and the checksums present in the DB, Pulp will simply refuse to start.

Security Implications¶

While the MD5 and SHA-1 algorithms are no longer considered secure, pulp_deb requires the presence of SHA-256 checksums to function, and is therefore never dependent on unsecure algorithms for integrity checking. MD5 and SHA-1 are checked and used in addition to the other algorithms, purely for backwards compatibility. This is consistent with widespread usage within the larger Debian ecosystem.

Disabling forbidden checksum warnings¶

If your Pulp instance is configured to disallow the MD5 checksum algorithm, pulp_deb will emit a warning message with every sync as well as every use of the APT publisher. You can disable these warnings, by setting FORBIDDEN_CHECKSUM_WARNINGS = False in your Pulp configuration file.