[Security][Enhancement] GPG signatures passthrough

[Aeris1One]

Hi, thanks for your software, it's really useful to simplify private mirror maintenance.

Currently in mirror mode, repomanager downloads packages from the central repository, verifies the GPG signature, and then re-signs the packages with its own key.
Would it be possible to retain the original GPG signature instead of resigning with the local key ?

This would avoid the need to MitM ourselves by adding a trusted pubkey on all of our systems, thus trusting only the upstream GPG key instead of trusting the GPG key of our mirror that itself trusts the upstream key, doubling attack surface.

[lbr38]

Hello

What if you just uncheck the SIGN WITH GPG parameter when creating a mirror?

[Aeris1One]

For APT repos, it makes them unsigned (by either not downloading or removing signature-related files, like Release.gpg).
What would be best is downloading/serving upstream InRelease and Release.gpg files, and .dsc package metadata signed files, keeping signature from upstream intact.

I can't tell how signature is done in RPM repos though.

[lbr38]

Okay I see what you mean. You would like Repomanager to be like an identical mirror of the source. Unfortunately, it was not designed quite for that, but rather to be the main, trusted repository server for all clients. Adding an option to make it an identical mirror involves many changes. For now, I cannot guarantee that I will add such option.

I can't tell how signature is done in RPM repos though.

For rpm, the packages themselves are signed. For apt, it is the Release file that is signed.