Learn more about these different git repos.
Other Git URLs
$ git grep gpgcheck server/odcs/server/backend.py:gpgcheck=0 server/odcs/server/backend.py:repo_gpgcheck=0 server/odcs/server/backend.py:gpgcheck=0 server/tests/test_backend.py:gpgcheck=0 server/tests/test_backend.py:gpgcheck=0 server/tests/test_backend.py:gpgcheck=0
Here are two reasons this is a problem:
1) Build system security. In some environments, we expose the compose contents via HTTP and not HTTPS. (This is because the container image must trust the HTTPS server certificate, and sometimes that HTTPS cert is signed by a non-default CA). This means there is no integrity checking at all when building images from ODCS composes.
2) Correct choice of builds. It is easy for me as a developer to make mistakes and put unsigned builds into a container. ODCS has a "signing intent" setting that should help with this, but the operations around signing builds within Koji are complicated and racy. Sometimes there are problems or corner cases I did not anticipate. As a result, the only sure way to ensure that all my builds are gold-signed is to enforce this in the container's package manager.
We would never tell regular Fedora or RHEL users to disable GPG checking on their systems. Please don't do this in ODCS either.
Related issues: https://pagure.io/pungi/issue/487 https://github.com/containerbuildsystem/atomic-reactor/issues/588
Currently if I request an ODCS compose for a Pulp source, ODCS returns:
[rhel-8-for-x86_64-appstream-rpms] name=rhel-8-for-x86_64-appstream-rpms baseurl=http://pulp.example.com/content/dist/rhel8/8/x86_64/appstream/os enabled=1 gpgcheck=0
There should be some way to enable gpgcheck like so:
gpgcheck
[rhel-8-for-x86_64-appstream-rpms] name=rhel-8-for-x86_64-appstream-rpms baseurl=http://pulp.example.com/content/dist/rhel8/8/x86_64/appstream/os enabled=1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Login to comment on this ticket.