Sign packages when modifying repo content

Assisted By: GPT-5.1-Codex

fixes #1300

Author: daviddavis

docs/user/guides/sign_packages.md

@@ -1,8 +1,8 @@
 # Sign Debian Packages
 
-Sign a Debian package using a registered APT package signing service.
+Sign a Debian package using a registered package signing service.
 
-Currently, only on-upload signing is supported.
+Currently, only signing on upload and when modifying a repo's content are supported.
 
 ## On Upload
 

pulp_deb/app/migrations/0035_add_deb_package_signing_result.py

@@ -0,0 +1,32 @@
+# Generated by Django 4.2.27 on 2025-12-29 19:23
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django_lifecycle.mixins
+import pulpcore.app.models.base
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0145_domainize_import_export'),
+        ('deb', '0034_package_signing'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DebPackageSigningResult',
+            fields=[
+                ('pulp_id', models.UUIDField(default=pulpcore.app.models.base.pulp_uuid, editable=False, primary_key=True, serialize=False)),
+                ('pulp_created', models.DateTimeField(auto_now_add=True)),
+                ('pulp_last_updated', models.DateTimeField(auto_now=True, null=True)),
+                ('sha256', models.TextField(max_length=64)),
+                ('package_signing_fingerprint', models.TextField(max_length=40)),
+                ('result', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='core.content')),
+            ],
+            options={
+                'unique_together': {('sha256', 'package_signing_fingerprint')},
+            },
+            bases=(django_lifecycle.mixins.LifecycleModelMixin, models.Model),
+        ),
+    ]

pulp_deb/app/models/signing_service.py

@@ -7,7 +7,20 @@
 from typing import Optional
 
 import gnupg
-from pulpcore.plugin.models import SigningService
+from django.db import models
+from pulpcore.plugin.models import BaseModel, Content, SigningService
+
+
+class UnsignedPackage(Exception):
+    """Raised when a deb package is unsigned and has no _gpgorigin signature."""
+
+
+class InvalidSignature(Exception):
+    """When GPG verification fails due to the signature (NO_PUBKEY, EXPSIG, etc)."""
+
+
+class FingerprintMismatch(Exception):
+    """Raised when a deb package is signed with a different key fingerprint."""
 
 
 def prepare_gpg(temp_directory_name, public_key, pubkey_fingerprint):
@@ -212,22 +225,22 @@ def validate(self):
             except KeyError:
                 raise Exception(f"Malformed output from signing script: {return_value}")
 
-            # Prepare GPG:
+            self.validate_signature(signed_deb)
+
+    def validate_signature(self, deb_package_path: str):
+        """Validate that the deb package is signed with our pubkey."""
+        with tempfile.TemporaryDirectory() as temp_directory_name:
             gpg = prepare_gpg(temp_directory_name, self.public_key, self.pubkey_fingerprint)
 
-            self._validate_deb_package(
-                signed_deb, self.pubkey_fingerprint, temp_directory_name, gpg
+            self._check_deb_signature(
+                deb_package_path, self.pubkey_fingerprint, temp_directory_name, gpg
             )
 
     @staticmethod
-    def _validate_deb_package(
-        deb_package_path: str, pubkey_fingerprint: str, temp_directory_name: str, gpg: gnupg.GPG
+    def _check_deb_signature(
+        deb_package_path: str, fingerprint: str, temp_directory_name: str, gpg: gnupg.GPG
     ):
-        """
-        Validate that the deb package at @deb_package_path is correctly signed.
-
-        This is a placeholder for future validation logic if needed.
-        """
+        """Check the deb package signature matches the provided fingerprint."""
         # unpack the archive
         cmd = ["ar", "x", deb_package_path]
         res = subprocess.run(cmd, cwd=temp_directory_name, capture_output=True)
@@ -247,16 +260,29 @@ def _validate_deb_package(
         # verify combined data with _gpgorigin detached signature
         gpgorigin_path = temp_dir / "_gpgorigin"
         if not gpgorigin_path.exists():
-            raise Exception(
+            raise UnsignedPackage(
                 f"_gpgorigin file not found for {deb_package_path}. Package is unsigned."
             )
         with gpgorigin_path.open("rb") as gpgorigin:
             verified = gpg.verify_file(gpgorigin, str(temp_dir / "combined"))
             if not verified.valid:
-                raise Exception(
+                raise InvalidSignature(
                     f"GPG Verification of the signed package {deb_package_path} failed!"
                 )
-            if verified.pubkey_fingerprint != pubkey_fingerprint:
-                raise Exception(
+            if verified.pubkey_fingerprint != fingerprint:
+                raise FingerprintMismatch(
                     f"'{deb_package_path}' appears to have been signed using the wrong key!"
                 )
+
+
+class DebPackageSigningResult(BaseModel):
+    """
+    A model used for storing the result of signing a deb package.
+    """
+
+    sha256 = models.TextField(max_length=64)
+    package_signing_fingerprint = models.TextField(max_length=40)
+    result = models.ForeignKey(Content, on_delete=models.CASCADE)
+
+    class Meta:
+        unique_together = ("sha256", "package_signing_fingerprint")

pulp_deb/app/tasks/__init__.py

@@ -2,3 +2,4 @@
 from .publishing import publish, publish_verbatim
 from .synchronizing import synchronize
 from .copy import copy_content
+from .signing import sign_and_create, signed_add_and_remove

pulp_deb/app/tasks/signing.py

@@ -1,11 +1,25 @@
 from pathlib import Path
 from tempfile import NamedTemporaryFile
 
-from pulpcore.plugin.models import Upload, UploadChunk, Artifact, CreatedResource, PulpTemporaryFile
-from pulpcore.plugin.tasking import general_create
+from pulpcore.plugin.models import (
+    Upload,
+    UploadChunk,
+    Artifact,
+    ContentArtifact,
+    CreatedResource,
+    PulpTemporaryFile,
+)
+from pulpcore.plugin.tasking import add_and_remove, general_create
 from pulpcore.plugin.util import get_url
 
-from pulp_deb.app.models.signing_service import AptPackageSigningService
+from pulp_deb.app.models.signing_service import (
+    AptPackageSigningService,
+    DebPackageSigningResult,
+    FingerprintMismatch,
+    InvalidSignature,
+    UnsignedPackage,
+)
+from pulp_deb.app.models import AptRepository, Package, PackageReleaseComponent
 
 
 def _save_file(fileobj, final_package):
@@ -22,6 +36,18 @@ def _save_upload(uploadobj, final_package):
     final_package.flush()
 
 
+def _sign_file(package_file, signing_service, signing_fingerprint):
+    result = signing_service.sign(package_file.name, pubkey_fingerprint=signing_fingerprint)
+    signed_package_path = Path(result["deb_package"])
+    if not signed_package_path.exists():
+        raise Exception(f"Signing script did not create the signed package: {result}")
+    artifact = Artifact.init_and_validate(str(signed_package_path))
+    artifact.save()
+    resource = CreatedResource(content_object=artifact)
+    resource.save()
+    return artifact
+
+
 def sign_and_create(
     app_label,
     serializer_name,
@@ -43,16 +69,7 @@ def sign_and_create(
             uploaded_package = Upload.objects.get(pk=temporary_file_pk)
             _save_upload(uploaded_package, final_package)
 
-        result = package_signing_service.sign(
-            final_package.name, pubkey_fingerprint=signing_fingerprint
-        )
-        signed_package_path = Path(result["deb_package"])
-        if not signed_package_path.exists():
-            raise Exception(f"Signing script did not create the signed package: {result}")
-        artifact = Artifact.init_and_validate(str(signed_package_path))
-        artifact.save()
-        resource = CreatedResource(content_object=artifact)
-        resource.save()
+        artifact = _sign_file(final_package, package_signing_service, signing_fingerprint)
     uploaded_package.delete()
     # Create Package content
     data["artifact"] = get_url(artifact)
@@ -64,3 +81,89 @@ def sign_and_create(
     if "upload" in data:
         del data["upload"]
     general_create(app_label, serializer_name, data=data, context=context, *args, **kwargs)
+
+
+def _update_content_units(content_units, old_pk, new_pk):
+    while str(old_pk) in content_units:
+        content_units.remove(str(old_pk))
+
+    if str(new_pk) not in content_units:
+        content_units.append(str(new_pk))
+
+    # Repoint PackageReleaseComponents included in this transaction to the new package.
+    for prc in PackageReleaseComponent.objects.filter(pk__in=content_units, package_id=old_pk):
+        new_prc, _ = PackageReleaseComponent.objects.get_or_create(
+            release_component=prc.release_component,
+            package_id=new_pk,
+            _pulp_domain=prc._pulp_domain,
+        )
+
+        while str(prc.pk) in content_units:
+            content_units.remove(str(prc.pk))
+
+        if str(new_prc.pk) not in content_units:
+            content_units.append(str(new_prc.pk))
+
+
+def _check_package_signature(repository, package_path):
+    try:
+        repository.package_signing_service.validate_signature(package_path)
+    except (UnsignedPackage, InvalidSignature, FingerprintMismatch):
+        return False
+
+    return True
+
+
+def signed_add_and_remove(
+    repository_pk, add_content_units, remove_content_units, base_version_pk=None
+):
+    repo = AptRepository.objects.get(pk=repository_pk)
+
+    if repo.package_signing_service:
+        # sign each package and replace it in the add_content_units list
+        for package in Package.objects.filter(pk__in=add_content_units):
+            content_artifact = package.contentartifact_set.first()
+            artifact_obj = content_artifact.artifact
+            package_id = package.pk
+
+            with NamedTemporaryFile(mode="wb", dir=".", delete=False) as final_package:
+                artifact_file = artifact_obj.file
+                _save_file(artifact_file, final_package)
+
+                # check if the package is already signed with our fingerprint
+                if _check_package_signature(repo, final_package.name):
+                    continue
+
+                # check if the package has been signed in the past with our fingerprint
+                if existing_result := DebPackageSigningResult.objects.filter(
+                    sha256=content_artifact.artifact.sha256,
+                    package_signing_fingerprint=repo.package_signing_fingerprint,
+                ).first():
+                    _update_content_units(add_content_units, package_id, existing_result.result.pk)
+                    continue
+
+                # create a new signed version of the package
+                artifact = _sign_file(
+                    final_package, repo.package_signing_service, repo.package_signing_fingerprint
+                )
+                signed_package = package
+                signed_package.pk = None
+                signed_package.pulp_id = None
+                signed_package.sha256 = artifact.sha256
+                signed_package.save()
+                ContentArtifact.objects.create(
+                    artifact=artifact,
+                    content=signed_package,
+                    relative_path=content_artifact.relative_path,
+                )
+                DebPackageSigningResult.objects.create(
+                    sha256=artifact_obj.sha256,
+                    package_signing_fingerprint=repo.package_signing_fingerprint,
+                    result=signed_package,
+                )
+
+                _update_content_units(add_content_units, package_id, signed_package.pk)
+                resource = CreatedResource(content_object=signed_package)
+                resource.save()
+
+    return add_and_remove(repository_pk, add_content_units, remove_content_units, base_version_pk)

pulp_deb/app/viewsets/content.py

@@ -21,7 +21,7 @@
 from drf_spectacular.utils import extend_schema
 
 from pulp_deb.app import models, serializers
-from pulp_deb.app.tasks import signing as deb_sign
+from pulp_deb.app.tasks import sign_and_create
 
 
 class GenericContentFilter(ContentFilter):
@@ -312,7 +312,7 @@ def create(self, request):
             serializer.validated_data.get("repository"),
         ]
         task = dispatch(
-            deb_sign.sign_and_create,
+            sign_and_create,
             exclusive_resources=task_exclusive,
             args=tuple(task_args.values()),
             kwargs={

pulp_deb/app/viewsets/repository.py

@@ -8,14 +8,15 @@
 from pulp_deb.app.models.content.content import Package
 from pulp_deb.app.models.content.structure_content import PackageReleaseComponent
 from pulp_deb.app.serializers import AptRepositorySyncURLSerializer
+from pulp_deb.app.tasks import signed_add_and_remove
 
 from pulpcore.plugin.util import extract_pk, get_url
 from pulpcore.plugin.actions import ModifyRepositoryActionMixin
 from pulpcore.plugin.serializers import (
     AsyncOperationResponseSerializer,
     RepositoryAddRemoveContentSerializer,
 )
-from pulpcore.plugin.models import RepositoryVersion
+from pulpcore.plugin.models import ContentArtifact, RepositoryVersion
 from pulpcore.plugin.tasking import dispatch
 from pulpcore.plugin.viewsets import (
     OperationPostponedResponse,
@@ -29,6 +30,8 @@
 
 
 class AptModifyRepositoryActionMixin(ModifyRepositoryActionMixin):
+    modify_task = signed_add_and_remove
+
     @extend_schema(
         description="Trigger an asynchronous task to create a new repository version.",
         summary="Modify Repository Content",
@@ -37,13 +40,25 @@ class AptModifyRepositoryActionMixin(ModifyRepositoryActionMixin):
     @action(detail=True, methods=["post"], serializer_class=RepositoryAddRemoveContentSerializer)
     def modify(self, request, pk):
         remove_content_units = request.data.get("remove_content_units", [])
-        package_hrefs = [href for href in remove_content_units if "/packages/" in href]
+        remove_package_hrefs = [href for href in remove_content_units if "/packages/" in href]
 
-        if package_hrefs:
-            prc_hrefs = self._get_matching_prc_hrefs(package_hrefs)
+        if remove_package_hrefs:
+            prc_hrefs = self._get_matching_prc_hrefs(remove_package_hrefs)
             remove_content_units.extend(prc_hrefs)
             request.data["remove_content_units"] = remove_content_units
 
+        add_content_units = request.data.get("add_content_units", [])
+        package_ids = [extract_pk(href) for href in add_content_units if "/packages/" in href]
+        repository = self.get_object()
+        if add_content_units and repository.package_signing_service:
+            ondemand_ca = ContentArtifact.objects.filter(
+                content_id__in=package_ids, artifact__isnull=True
+            )
+            if ondemand_ca.count() > 0:
+                raise DRFValidationError(
+                    _("Cannot add on-demand content to repo with set package signing service.")
+                )
+
         return super().modify(request, pk)
 
     def _get_matching_prc_hrefs(self, package_hrefs):
@@ -345,9 +360,9 @@ def _process_config(self, config):
                         number=entry["dest_base_version"]
                     ).pk
                 except RepositoryVersion.DoesNotExist:
-                    message = _(
-                        "Version {version} does not exist for repository " "'{repo}'."
-                    ).format(version=entry["dest_base_version"], repo=dest_repo.name)
+                    message = _("Version {version} does not exist for repository '{repo}'.").format(
+                        version=entry["dest_base_version"], repo=dest_repo.name
+                    )
                     raise DRFValidationError(detail=message)
 
             if entry.get("content") is not None: