Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP: Use new librepo PGP API, remove gpgme dependency #166

Merged
merged 4 commits into from
Dec 5, 2022
Merged

PGP: Use new librepo PGP API, remove gpgme dependency #166

merged 4 commits into from
Dec 5, 2022

Conversation

jrohel
Copy link
Contributor

@jrohel jrohel commented Nov 23, 2022
edited
Loading

Librepo internally uses gpgme to work with PGP keys. Libdnf used the librepo keyring directly via gpgme instead of using the librepo API. It had to, the librepo API was insufficient.

Librepo in version 1.15.0 extended the PGP API.
This commmit uses the extended librepo PGP API and removes libdnf's dependency on gpgme.

PR also adds support for any number of user IDs in a PGP key.

This PR requires new librepo PGP API PR rpm-software-management/librepo#266 .

@mcurlej mcurlej added this to the Fedora 38 milestone Nov 24, 2022
@jrohel
PGP: Use new librepo PGP API, remove gpgme dependency
166bb79 
Librepo internally uses gpgme to work with PGP keys. Libdnf used the librepo
keyring directly via gpgme instead of using the librepo API. It had to,
the librepo API was insufficient.

Librepo in version 1.15.0 extended the PGP API.
This commmit uses the extended librepo PGP API and removes libdnf's
dependency on gpgme.
@jrohel
Rename RepoGpgme to RepoPgp and the occurrence of "gpgme" to "pgp"
212870d 
Libdnf no longer uses gpgme. Leaving the "gpgme" strings would be misleading.
@jrohel
repo::Key: Store raw_key as private std::string
5ac2753 
raw_key is a string in ASCII-Armor format. It makes sense to store
in std::string rather than converting to vector.
@jrohel
PGP: Support for any number of user IDs in a PGP key
ded8512 
Previously, only one user ID per key was supported.
@jrohel jrohel force-pushed the feature/use_librepo_PGP_API branch from bec1753 to ded8512 Compare November 25, 2022 11:41
@jan-kolarik jan-kolarik self-assigned this Nov 28, 2022
jan-kolarik
jan-kolarik reviewed Nov 30, 2022
View reviewed changes
dnf5/context.cpp
@@ -799,7 +803,7 @@ bool Context::check_gpg_signatures(const libdnf::base::Transaction & transaction
void Context::download_and_run(libdnf::base::Transaction & transaction) {
download_packages(transaction, nullptr);

std::cout << std::endl << "Verifying GPG signatures" << std::endl;
std::cout << std::endl << "Verifying PGP signatures" << std::endl;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When changing all output from GPG -> PGP, maybe also the line 748 here in the context.cpp?

@jan-kolarik
Copy link
Member

Since we are starting with the DNF5, could we also change other occurrences of GPG -> PGP, also in options, etc.? It is quite confusing. Now it seems consistent on the output, but lot of internals and configurations are still referencing GPGs. Or do we differentitate these for some specific usages in the code?

@jan-kolarik
Copy link
Member

Also another question related to builds. We don't have the new librepo release yet, so merging this will result in package build tests failing until that. Are we OK with that or should we wait for the release?

@kontura
Copy link
Contributor

kontura commented Nov 30, 2022
edited
Loading

Also another question related to builds. We don't have the new librepo release yet, so merging this will result in package build tests failing until that. Are we OK with that or should we wait for the release?

The CI is taking builds from nightly so it should work tomorrow (librepo 1.15.0 will be available in nightly repo).
We could even run the workflow builds manually now if you want.

@pmatilai
Copy link
Member

Since we are starting with the DNF5, could we also change other occurrences of GPG -> PGP, also in options, etc.?

PGP is not really any better than GPG, because PGP is the name of the commercial software. Use OpenPGP when referring to the standard.

@jrohel
Copy link
Contributor Author

jrohel commented Nov 30, 2022

@pmatilai
PGP (Pretty Good Privacy) is a program.
GnuPG (GNU Privacy Guard, also known as GPG) is a program.
And OpenPGP is the standard.

What are the keys called? OpenPGP keys? Or PGP keys? Or GPG keys?

When I go through the OpenPGP standard, the Armor Header Line can contain:
PGP MESSAGES; PGP PUBLIC KEY BLOCK; PGP PRIVATE KEY BLOCK; PGP MESSAGE, PART X/Y; PGP MESSAGES, PART X; PGP SIGNATURE

So I chose PGP. But we can discuss where to change PGP to OpenPGP. Because you're right, PGP is a program. In addition, PGP is also a trademark.

@pmatilai
Copy link
Member

Everything is OpenPGP, including keys and signatures. The ASCII armor has "PGP" as a remnant from its origins in the PGP program, preserved for compatibility I'd think.

@jan-kolarik jan-kolarik mentioned this pull request Nov 30, 2022
Open
@jan-kolarik
Copy link
Member

I created a new issue for deciding about the naming problem. Here we could just fix the single mentioned occurrence of the GPG in the output from context.cpp, but it could be also deferred.

I will wait for tomorrow when new librepo snapshot is ready, check the tests and I am for merging this.

@jan-kolarik jan-kolarik merged commit b990407 into rpm-software-management:main Dec 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-kolarik jan-kolarik jan-kolarik left review comments

Assignees

@jan-kolarik jan-kolarik

Labels
None yet
Projects
DNF team
Archived in project
Milestone
Fedora 38
Development

Successfully merging this pull request may close these issues.
5 participants
@jrohel @jan-kolarik @kontura @pmatilai @mcurlej