Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Won't Do
Priority: Normal
Fix Version/s: None
Affects Version/s: 6.13.0
Component/s: Content Credentials, Pulp, Repositories
Labels:

Story Points:
0
Blocked:
False
Bugzilla Bug:
RHBZ: 2172980

Release Note Type:
None
Release Note Text:
None
Release Note Status:
None

PX Impact Score:
PX Priority Data:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:
None

Market:

1. Proposed title of this feature request
Provide an option for custom repositories, which only allow signed packages by the defined GPG-key possible to be uploaded/synced into the repo on satellite.

3. What is the nature and description of the request?
Today, a repository in satellite can have GPG-keys to allow the client to verify the packages during installation. There is no mechanism, that only signed packages are included in that repository.
That means, that a client can overrule the package signing during installation of a specific package. To prevent this, a mechanism in pulp during the repo-sync could help, to verify packages before they're included into the satellite.
That will prevent clients to have access to unsigned/unwanted packages included in the entire satellite infrastructure.

4. Why does the customer need this? (List the business requirements here)
To increase security, only signed packages are allowed to be installed and enable a trusted supply chain.

5. How would the customer like to achieve this? (List the functional requirements here)

In satellite an option should be present, to block all unsigned packages for custom_repositories
optional: This feature can be enabled globally or per repo
When source-repo consists unsigned packages, the sync-mechanism will show warnings with packages listed, while all other packages will be synced
optional/benefit: Customer should be pointed to documentation on how to sign packages

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Using source repo with signed and unsigned packages included
on satellite repo-sync, only signed packages will be included in satellite and for all unsigned packages a warning will be shown

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
no

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
no

9. Is the sales team involved in this request and do they have any additional input?
no

10. List any affected packages or components.
satellite
pulp

11. Would the customer be able to assist in testing this functionality if implemented?
yes

is related to

SAT-29067 The customer would like to see via webUI the Signing Key used for that specific package

external trackers

Github pulp/pulp_rpm/issues/2258

Assignee:: Unassigned

Reporter:: Steffen Frömer

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/03/08 1:19 PM

Updated:: 2025/09/14 12:23 AM

Resolved:: 2025/04/15 9:44 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates