Repository GPG keys are not used for image builds via Cloud API

[thozza]

When images are built via Cloud API, the list of repositories to be used for the image build is part of the ImageRequest. However the Repository object does not include GPGKey property:

osbuild-composer/internal/cloudapi/openapi.gen.go

Lines 171 to 176 in 54a458a

	type Repository struct {
	Baseurl *string `json:"baseurl,omitempty"`
	Metalink *string `json:"metalink,omitempty"`
	Mirrorlist *string `json:"mirrorlist,omitempty"`
	Rhsm bool `json:"rhsm"`
	}

As a result, no GPG key is copied over to rpmmd.RepoConfig structures when a new Cloud API compose request is processed:

osbuild-composer/internal/cloudapi/server.go

Lines 113 to 127 in 54a458a

	repositories := make([]rpmmd.RepoConfig, len(ir.Repositories))
	for j, repo := range ir.Repositories {
	repositories[j].RHSM = repo.Rhsm
	if repo.Baseurl != nil {
	repositories[j].BaseURL = *repo.Baseurl
	} else if repo.Mirrorlist != nil {
	repositories[j].MirrorList = *repo.Mirrorlist
	} else if repo.Metalink != nil {
	repositories[j].Metalink = *repo.Metalink
	} else {
	http.Error(w, "Must specify baseurl, mirrorlist, or metalink", http.StatusBadRequest)
	return
	}
	}

Such rpmmd.RepoConfig list is then passed to imageType.Manifest(), which produces Manifest to be used by osbuild. As a result, no GPG keys are used in the resulting org.osbuild.rpm stage of the Manifest and the GPG signatures of the installed RPMs are not checked at all when osbuild builds the image. Also no GPG keys are imported into the RPM database during the image build.

[thozza]

After a discussion on team's Telegram, the conclusion was that we should aim for verification of RPM repository metadata signatures. However repo metadata are currently not signed for all of the distributions supported by composer.

The API could include just a single list of GPG keys, which can be used for verification of RPM and repo metadata. This is compliant with what DNF does. A RPM repository definition can contain only a single gpgkey item, which may be a list of URLs described as URLs of a GPG key files that can be used for signing metadata and packages of this repository .... Therefore if we change the Cloud API in a similar way, it should be prepared also for a case when we start verifying repo metadata in addition (or instead) of RPM signatures.

A note from @teg:

• In the future, we could introduce an option to select between metadata or rpm verification. We only ever need one, and the choice should be explicit, so a Boolean would be fine.
• The Boolean should default to verifying repo metadata, and the rpm verification should be opt-in. To nudge people in the right direction.

[github-actions]

This issue is stale because it had no activity for the past 365 days. Remove the "Stale" label or add a comment, otherwise this issue will be closed in 30 days.