Metadata Signing¶
The RPM plugin is able to sign repository metadata using a signing service configured by an administrator. This enables package managers to verify the authenticity of metadata before installing packages referenced by that metadata. The metadata signing is enabled for all repositories that have a signing service associated with them.
Setup¶
Let us assume that a signing service is already supplied by an administrator and is queryable via REST API in an ordinary way. The only thing that needs to be done by a user is to create a new repository with the associated signing service, like so:
#!/usr/bin/env bash
# Create RPM repository
if [ $# -eq 0 ]; then
REPO_NAME="foo"
else
REPO_NAME="$1"
fi
export REPO_NAME
echo "Fetching the signing service."
SIGNING_SERVICE_HREF=$(http "$BASE_ADDR"/pulp/api/v3/signing-services/?name="sign-metadata" \
| jq -r '.results[0].pulp_href')
export SIGNING_SERVICE_HREF
echo "Creating a new repository named $REPO_NAME."
REPO_HREF=$(http POST "$BASE_ADDR"/pulp/api/v3/repositories/rpm/rpm/ name="$REPO_NAME" \
metadata_signing_service="$SIGNING_SERVICE_HREF" \
| jq -r '.pulp_href')
export REPO_HREF
echo "Inspecting Repository."
http "$BASE_ADDR""$REPO_HREF"
Then, the repository needs to be published and a new distribution needs to be created out of it, as usually. Follow the instructions provided here to do so.
The publication will automatically contain a detached ascii-armored signature and a public key. Both, the detached signature and the public key, are used by package managers during the process of verification.
Note
The public key must be stored as public.key to prevent any path issues.
Installing Packages¶
When a distribution with signed repodata is created, a user can install packages from a signed
repository. But, at first, it is necessary to set up the configuration for the repository. One may
initialize the configuration by leveraging the utility dnf config-manager like shown below.
Afterwards, the user should be able to install the packages by running dnf install packages.
#!/usr/bin/env bash
BASE_URL=$(http "$BASE_ADDR""$DISTRIBUTION_HREF" | jq -r '.base_url')
BASE_PATH=$(http "$BASE_ADDR""$DISTRIBUTION_HREF" | jq -r '.base_path')
PUBLIC_KEY_URL="$BASE_URL"/repodata/public.key
echo "Setting up a YUM repository."
sudo dnf config-manager --add-repo "$BASE_URL"
sudo dnf config-manager --save \
--setopt=*"$BASE_PATH".gpgcheck=0 \
--setopt=*"$BASE_PATH".repo_gpgcheck=1 \
--setopt=*"$BASE_PATH".gpgkey="$PUBLIC_KEY_URL"
sudo dnf install -y walrus
Note
Package managers take advantage of signed repositories only when the attribute repo_gpgcheck
is set to 1. Also, bear in mind that the attribute gpgkey should be configured as well to
let the managers know which public key has to be used during the verification.