Skip to content

Add log statements to package signing task #4459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dralley merged 1 commit into from
May 6, 2026
+11 −0
Merged

Add log statements to package signing task #4459

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGES/+package-signing-logs.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Added log statements throughout the package signing task to aid troubleshooting and debugging.
10 changes: 10 additions & 0 deletions pulp_rpm/app/tasks/signing.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ def _verify_package_fingerprint(path, signing_fingerprint):
if raw_fingerprint.upper().endswith(candidate.upper()):
return True

log.debug(
f"Fingerprint mismatch for {path}: expected {raw_fingerprint}, "
f"found key IDs {key_ids} and fingerprints {fingerprints}."
)
return False


Expand All @@ -81,6 +85,7 @@ def _update_signing_keys(package_file, keys):
def _sign_file(package_file, signing_service, signing_fingerprint):
"""Sign a package and return the local path of the signed file."""
prefix, raw_fingerprint = signing_fingerprint.split(":", 1)
log.info(f"Signing package {package_file.name} with fingerprint {signing_fingerprint}.")
result = signing_service.sign(
package_file.name,
env_vars={"PULP_SIGNING_FINGERPRINT_TYPE": prefix},
Expand Down Expand Up @@ -120,6 +125,7 @@ def _sign_package(package, signing_service, signing_fingerprint):

# check if the package is already signed with our fingerprint
if _verify_package_fingerprint(final_package.name, signing_fingerprint):
log.info(f"Package {package.filename} is already signed with {signing_fingerprint}.")
return None

# check if the package has been signed in the past with our fingerprint and replace
Expand All @@ -128,6 +134,7 @@ def _sign_package(package, signing_service, signing_fingerprint):
original_package_sha256=content_artifact.artifact.sha256,
package_signing_fingerprint=signing_fingerprint,
).first():
log.info(f"Reusing previously signed package for {package.filename}.")
Copy link
Copy Markdown
Contributor

@dralley dralley May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In retrospect this particular check concerns me, because if the signing service selects a mainkey that is not a signing key, then GPG is free to select a signing subkey, which means that a package signed by an old subkey would not be resigned by a new subkey because the package_signing_fingerprint matches.

So we might want to figure out how to track the actual signing fingerprint and not just the mainkey fingerprint.

Copy link
Copy Markdown
Contributor

@dralley dralley May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is, however, a separate concern from this PR

Copy link
Copy Markdown
Contributor Author

@daviddavis daviddavis May 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the issue is that a repo has a fingerprint for A for package signing service and the package was previously signed with the signing servie using subkey A1 and now it is signing with key A2? I don't know how there's a way for Pulp to know that the package signing key for the signing service didn't change (A1 -> A2). I would imagine that the user should set the fingerprints for A1 or A2 on the repo and not the primary key fingerprint (A). Otherwise, we could give users an option to bypass this check (like a setting).

return (package_id, str(existing_result.result_package.pk))

# create a new signed version of the package
Expand Down Expand Up @@ -222,6 +229,9 @@ def signed_add_and_remove(
repo = RpmRepository.objects.get(pk=repository_pk)

if repo.package_signing_service:
log.info(
f"Signing packages for repository {repo.name} with {repo.package_signing_service}."
)
add_content_units = set(add_content_units)
packages = list(Package.objects.filter(pk__in=add_content_units).all())

Expand Down
Loading