Move installed gpg keys to the currently configured storage

[ffesti]

Pratically we only really support gpg-pubkey packages as storage for pgp keys. If we support more backends in earnest we need a way to move keys from one storage backend to another to prevent users needing to re-import the keys.

This should probably be done completely automatically to make transition from one default to another easy and seamless. Alternatively would could offer a way to export the keys to a script(let) could export them, switch the default and then re- import the keys. While adding support to export keys may seem useful (although may not really needed if stored on disk anyway) doing the transition within rpm itself if probably less hassle and saver.

[pmatilai]

Right, we could have a keystore "rebuild" mode akin to how rpmdb backend can be changed by rebuilding it.

I was pretty much thinking of just letting users reimport the keys though - a distro user will only see 4.x -> 6.x and the associated keystore change when upgrading their distro, and at least in Fedora each version has their own key so lots of unused cruft accumulates over time. My home server has keys from eight different Fedora versions imported.

[pmatilai]

Such a rebuild mode serves as a cleanup operation too - just like with the rpmdb. And just like --rebuilddb I think the keystore rebuild should

• drop any keys it cannot load (which in this context is rather obvious), with a warning
• be able to convert from one keystore to another
• ...including the original format for a simple "rebuild" behavior

[ffesti]

Hmm, the question is on how to do that in a save way. E.g. for the database backend there is no clean slate to start from. We ofc could remove all gpgpubkey packages and then add the loaded keys back. But that leaves things very vulnerable inbetween.

The file based backends can at least save stuff elsewhere by manipulating %_keyringpath.

Hmm, with the key store in the rpmdb directory does that survive an rpmdb --rebuild?

[pmatilai]

Yes, gpg-pubkeys do survive rpmdb --rebuild currently. But they don't get reimported so they stay in the short id mode.

[pmatilai]

For the db, I guess you could basically create an empty rpmdb in an alternative path where you put them temporarily.

[ffesti]

Should have worded this better: Do the fs backend keys survive a rpmdb --rebuild?

[pmatilai]

Oh, that. No idea.

[ffesti]

AC:

• Read keys from all supported back ends
• For file based back ends
  • create a new instance in temporary directory
  • add all keys
  • move new instance to proper place
  • delete all old key directories
  • delete all pgp-pubkey packages
• For rpmdb backend,
  • Add all keys to the rpmdb replacing existing ones
  • Remove all gpg-pubkey packages not just added
  • delete all old key directories

[pmatilai]

That AC proposal neglets to mention just how exactly this behavior is triggered, which is rather critical piece of information. Are new APIs and cli switches being added - which ones?

Stuff like "move new instance to proper place" is an uninteresting implementation detail, what we're really interested is the semantics that are also testable. For example, "add all keys" sounds like all keys get moved no matter what, but that's not what should happen, we should weed out any no longer legit keys in the process - in other words, those that fail to import. So it's more like "attempt to reimport all previously imported keys" than just "add all". And as a part of that reimport, any short keyids get converted to fingerprints - which is what we want. And on the semantic level I dont' think we should or need to differentiate between rpmdb and other backends, from rpmkeys perspective they should all behave the same.

So I think the requirements are more like

• a way to invoke keystore rebuild from the command line and API (and describe how it'll look like)
• supports moving keys between all keystores, including itself (eg rpmdb -> rpmdb)
• old invalid (expired, weak crypto, whatnot) keys are discarded in the process with a warning message
• old short keyid based keys are converted to fingerprint based ones