#8882 Directly integrate custodia
Opened 6 months ago by rcritten. Modified 6 months ago


IPA uses custodia, a general-purpose secret handler, to store passwords and private keys used within IPA.

custodia upstream hasn't seen a release in several years and runs the risk of bit-rotting.

Rather than rely on it as an external component integrate it directly into IPA server so we can keep a closer eye on it. No other packages in Fedora relies on it.

Upstream: https://github.com/latchset/custodia

By integrating it soon into IPA the standalone package can be dropped in c9s and in Fedora.

PR https://github.com/freeipa/freeipa/pull/5831 adds a subset of Custodia as ipaserver.custodia subpackage. CLI, IPA integration, sqlite store, and Python 2 support are removed. I did not include upstream tests. They need to be rewritten. Custodia tests use unittests package but IPA no longer accepts unittest-based tests.


  • 1e98f31 Add Custodia 0.6.0 to ipaserver package
  • d27f01b Remove unused Custodia modules
  • a4631b7 Fix Custodia imports
  • e1abfe0 Fix Custodia pylint issues
  • c27233e Remove more unused Custodia code
  • 470bb6e Add Custodia tests
  • e6f09c1 Also drop Custodia client and forwarder


  • 1be15d2 Add Custodia 0.6.0 to ipaserver package
  • d804f1f Remove unused Custodia modules
  • 02ece29 Fix Custodia imports
  • 0ec775f Fix Custodia pylint issues
  • 7cb2c89 Remove more unused Custodia code
  • cde5e2d Add Custodia tests
  • 62647ff Also drop Custodia client and forwarder

Login to comment on this ticket.