pulp-container 2.27.2__tar.gz → 2.27.4__tar.gz

{pulp_container-2.27.2 → pulp_container-2.27.4}/CHANGES.md

@@ -8,6 +8,27 @@
 
 [//]: # (towncrier release notes start)
 
+## 2.27.4 (2026-03-30) {: #2.27.4 }
+
+#### Bugfixes {: #2.27.4-bugfix }
+
+- Don't blow up on encountering PQC signatures.
+  [#2237](https://github.com/pulp/pulp_container/issues/2237)
+
+---
+
+## 2.27.3 (2026-03-18) {: #2.27.3 }
+
+#### Bugfixes {: #2.27.3-bugfix }
+
+- Altered several id-fields and their related sequences.
+
+  INTEGER AutoField sequences can "run out" on large/old instances, update to BIGINT.
+  [#2080](https://github.com/pulp/pulp_container/issues/2080)
+- Fixed memory usage when pushing large images with monolithic upload.
+
+---
+
 ## 2.27.2 (2026-02-24) {: #2.27.2 }
 
 #### Bugfixes {: #2.27.2-bugfix }

{pulp_container-2.27.2 → pulp_container-2.27.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-container
-Version: 2.27.2
+Version: 2.27.4
 Summary: Container plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,4 +20,5 @@ License-File: LICENSE
 Requires-Dist: jsonschema<4.26,>=4.4
 Requires-Dist: pulpcore<3.115,>=3.73.2
 Requires-Dist: pyjwt[crypto]<2.11,>=2.4
+Requires-Dist: pysequoia==0.1.32
 Dynamic: license-file

pulp_container-2.27.4/pulp_container/app/__init__.py

@@ -0,0 +1,40 @@
+from pulpcore.plugin import PulpPluginAppConfig
+from django.db import connection
+from django.db.models.signals import post_migrate
+
+update_sequences_to_bigint = """
+ALTER TABLE container_blobmanifest ALTER COLUMN id TYPE bigint;
+ALTER TABLE container_manifestlistmanifest ALTER COLUMN id TYPE bigint;
+ALTER TABLE container_containerpushrepository_pending_blobs ALTER COLUMN id TYPE bigint;
+ALTER TABLE container_containerpushrepository_pending_manifests ALTER COLUMN id TYPE bigint;
+ALTER TABLE container_containerrepository_pending_manifests ALTER COLUMN id TYPE bigint;
+ALTER TABLE container_containerrepository_pending_blobs ALTER COLUMN id TYPE bigint;
+ALTER SEQUENCE container_blobmanifest_id_seq AS BIGINT;
+ALTER SEQUENCE container_manifestlistmanifest_id_seq AS BIGINT;
+ALTER SEQUENCE container_containerpushrepository_pending_blobs_id_seq AS BIGINT;
+ALTER SEQUENCE container_containerpushrepository_pending_manifests_id_seq AS BIGINT;
+ALTER SEQUENCE container_containerrepository_pending_blobs_id_seq AS BIGINT;
+ALTER SEQUENCE container_containerrepository_pending_manifests_id_seq AS BIGINT;
+"""
+
+
+class PulpContainerPluginAppConfig(PulpPluginAppConfig):
+    """Entry point for the container plugin."""
+
+    name = "pulp_container.app"
+    label = "container"
+    version = "2.27.4"
+    python_package_name = "pulp-container"
+    domain_compatible = True
+
+    @staticmethod
+    def update_sequences(sender, **kwargs):
+        """Update database sequences to bigint type after migrations."""
+        with connection.cursor() as cursor:
+            cursor.execute(update_sequences_to_bigint)
+
+    def ready(self):
+        super().ready()
+        from . import checks
+
+        post_migrate.connect(PulpContainerPluginAppConfig.update_sequences, sender=self)

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/models.py

@@ -41,7 +41,6 @@ from pulp_container.constants import (
     SIGNATURE_TYPE,
 )
 
-
 logger = getLogger(__name__)
 
 

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/registry_api.py

@@ -967,24 +967,27 @@ class BlobUploads(ContainerRegistryApiMixin, ViewSet):
         """
         Create a blob from uploaded chunks.
 
-        This request makes the upload complete. It can whether carry a zero-length
-        body or last chunk can be uploaded.
+        This request makes the upload complete. It can either carry a zero-length
+        body or contain the last chunk.
 
         """
         _, repository = self.get_dr_push(request, path)
 
         digest = request.query_params["digest"]
         chunk = request.META["wsgi.input"]
-        # last chunk (and the only one) from monolitic upload
-        # or last chunk from chunked upload
-        last_chunk = ContentFile(chunk.read())
         upload = get_object_or_404(models.Upload, pk=pk, repository=repository)
 
-        if artifact := upload.artifact:
+        if upload.size == 0:
+            # monolithic upload to be completed in PUT
+            artifact = self.create_single_chunk_artifact(chunk)
+        elif artifact := upload.artifact:
+            # chunked upload was completed in PATCH
             if artifact.sha256 != digest[len("sha256:") :]:
                 raise Exception("The digest did not match")
             artifact.touch()
         else:
+            # chunked upload to be completed in PUT
+            last_chunk = ContentFile(chunk.read())
             chunks = UploadChunk.objects.filter(upload=upload).order_by("offset")
             with NamedTemporaryFile("ab") as temp_file:
                 for chunk in chunks:
@@ -1541,8 +1544,10 @@ class Signatures(ContainerRegistryApiMixin, ViewSet):
         except binascii.Error:
             raise ManifestSignatureInvalid(digest=pk)
 
-        signature_json = extract_data_from_signature(signature_raw, manifest.digest)
-        if signature_json is None:
+        try:
+            signature_json = extract_data_from_signature(signature_raw, manifest.digest)
+        except ValueError as exc:
+            log.warning("Error processing signature on upload: {}".format(exc))
             raise ManifestSignatureInvalid(digest=pk)
 
         sig_digest = hashlib.sha256(signature_raw).hexdigest()

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/serializers.py

@@ -34,7 +34,6 @@ from pulp_container.app import models, fields
 from pulp_container.constants import SIGNATURE_TYPE
 from pulp_container.app.utils import get_full_path
 
-
 VALID_SIGNATURE_NAME_REGEX = r"^sha256:[0-9a-f]{64}@[0-9a-f]{32}$"
 VALID_TAG_REGEX = r"^[A-Za-z0-9][A-Za-z0-9._-]*$"
 VALID_BASE_PATH_REGEX_COMPILED = re.compile(r"^[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9])*$")
@@ -299,25 +298,21 @@ class ContainerRemoteSerializer(RemoteSerializer):
         child=serializers.CharField(max_length=255),
         allow_null=True,
         required=False,
-        help_text=_(
-            """
+        help_text=_("""
             A list of tags to include during sync.
             Wildcards *, ? are recognized.
             'include_tags' is evaluated before 'exclude_tags'.
-            """
-        ),
+            """),
     )
     exclude_tags = serializers.ListField(
         child=serializers.CharField(max_length=255),
         allow_null=True,
         required=False,
-        help_text=_(
-            """
+        help_text=_("""
             A list of tags to exclude during sync.
             Wildcards *, ? are recognized.
             'exclude_tags' is evaluated after 'include_tags'.
-            """
-        ),
+            """),
     )
 
     policy = serializers.ChoiceField(
@@ -357,25 +352,21 @@ class ContainerPullThroughRemoteSerializer(RemoteSerializer):
         child=serializers.CharField(max_length=255),
         allow_null=True,
         required=False,
-        help_text=_(
-            """
+        help_text=_("""
             A list of remotes to include during pull-through caching.
             Wildcards *, ? are recognized.
             'includes' is evaluated before 'excludes'.
-            """
-        ),
+            """),
     )
     excludes = serializers.ListField(
         child=serializers.CharField(max_length=255),
         allow_null=True,
         required=False,
-        help_text=_(
-            """
+        help_text=_("""
             A list of remotes to exclude during pull-through caching.
             Wildcards *, ? are recognized.
             'excludes' is evaluated after 'includes'.
-            """
-        ),
+            """),
     )
 
     class Meta:

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/tasks/sign.py

@@ -118,7 +118,10 @@ async def create_signature(manifest, reference, signing_service):
             data = sig_fp.read()
             encoded_sig = base64.b64encode(data).decode()
             sig_digest = hashlib.sha256(data).hexdigest()
-            sig_json = extract_data_from_signature(data, manifest.digest)
+            try:
+                sig_json = extract_data_from_signature(data, manifest.digest)
+            except ValueError:
+                raise
             manifest_digest = sig_json["critical"]["image"]["docker-manifest-digest"]
 
             signature = ManifestSignature(

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/tasks/sync_stages.py

@@ -391,8 +391,10 @@ class ContainerFirstStage(Stage):
     def _create_signature_declarative_content(
         self, signature_raw, man_dc, name=None, signature_b64=None
     ):
-        signature_json = extract_data_from_signature(signature_raw, man_dc.content.digest)
-        if signature_json is None:
+        try:
+            signature_json = extract_data_from_signature(signature_raw, man_dc.content.digest)
+        except ValueError as exc:
+            log.warning("Error processing signature on sync: {}".format(str(exc)))
             return
 
         sig_digest = hashlib.sha256(signature_raw).hexdigest()

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/tasks/synchronize.py

@@ -13,7 +13,6 @@ from pulpcore.plugin.stages import (
 from .sync_stages import ContainerFirstStage, ContainerContentSaver
 from pulp_container.app.models import ContainerRemote, ContainerRepository
 
-
 log = logging.getLogger(__name__)
 
 

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/utils.py

@@ -1,9 +1,6 @@
 import base64
 import hashlib
 import fnmatch
-import re
-import subprocess
-import gnupg
 import json
 import logging
 import time
@@ -15,6 +12,8 @@ from django.db import IntegrityError
 from functools import partial
 from rest_framework.exceptions import Throttled
 
+from pysequoia.packet import PacketPile, Tag
+
 from pulpcore.plugin.models import Artifact, Task
 from pulpcore.plugin.util import get_domain
 
@@ -32,9 +31,6 @@ from pulp_container.app.json_schemas import (
     SIGNATURE_SCHEMA,
 )
 
-KEY_ID_REGEX_COMPILED = re.compile(r"keyid ([0-9A-F]+)")
-TIMESTAMP_REGEX_COMPILED = re.compile(r"created ([0-9]+)")
-
 signature_validator = Draft7Validator(SIGNATURE_SCHEMA)
 
 log = logging.getLogger(__name__)
@@ -86,6 +82,20 @@ def urlpath_sanitize(*args):
     return "/".join(segments)
 
 
+def keyid_from_fingerprint(fingerprint):
+    """Derive a key ID from an OpenPGP fingerprint.
+
+    For v4 fingerprints (40 hex chars / 20 bytes), the key ID is the last 8 bytes.
+    For v6 fingerprints (64 hex chars / 32 bytes), the key ID is the first 8 bytes.
+    """
+    if len(fingerprint) == 40:
+        return fingerprint[-16:]
+    elif len(fingerprint) == 64:
+        return fingerprint[:16]
+    else:
+        raise ValueError(f"Unexpected fingerprint length: {len(fingerprint)}")
+
+
 def extract_data_from_signature(signature_raw, man_digest):
     """
     Extract data from an "integrated" signature, aka a signed non-encrypted document.
@@ -98,37 +108,56 @@ def extract_data_from_signature(signature_raw, man_digest):
         dict: JSON representation of the document and available data about signature
 
     """
-    gpg = gnupg.GPG()
-    crypt_obj = gpg.decrypt(signature_raw, extra_args=["--skip-verify"])
-    if not crypt_obj.data:
-        log.info(
-            "It is not possible to read the signed document, GPG error: {}".format(crypt_obj.stderr)
+    try:
+        pile = PacketPile.from_bytes(signature_raw)
+    except Exception as exc:
+        raise ValueError(
+            "Signed document for manifest {} is un-parseable: {}".format(man_digest, str(exc))
         )
-        return
+
+    literal_data = None
+    signing_key_id = None
+    signing_key_fingerprint = None
+    signature_timestamp = None
+
+    for packet in pile:
+        if packet.tag == Tag.Literal:
+            literal_data = bytes(packet.literal_data)
+        elif packet.tag == Tag.Signature:
+            if packet.issuer_key_id is not None:
+                signing_key_id = packet.issuer_key_id.upper()
+            elif packet.issuer_fingerprint is not None:
+                signing_key_fingerprint = packet.issuer_fingerprint.upper()
+                signing_key_id = keyid_from_fingerprint(signing_key_fingerprint)
+            else:
+                raise ValueError(
+                    "Signature for manifest {} has no fingerprint or key_id".format(man_digest)
+                )
+            if packet.signature_created is not None:
+                signature_timestamp = int(packet.signature_created.timestamp())
+
+    if not literal_data:
+        raise ValueError("Signature for manifest {} has no literal data".format(man_digest))
 
     try:
-        sig_json = json.loads(crypt_obj.data)
+        sig_json = json.loads(literal_data)
     except Exception as exc:
-        log.info(
-            "Signed document cannot be parsed to create a signature for {}."
-            " Error: {}".format(man_digest, str(exc))
+        raise ValueError(
+            "Signed document cannot be parsed to create a signature for {}. Error: {}".format(
+                man_digest, str(exc)
+            )
         )
-        return
 
     errors = []
     for error in signature_validator.iter_errors(sig_json):
         errors.append(f'{".".join(error.path)}: {error.message}')
 
     if errors:
-        log.info("The signature for {} is not synced due to: {}".format(man_digest, errors))
-        return
-
-    # decrypted and unverified signatures do not have prepopulated the key_id and timestamp
-    # fields; thus, it is necessary to use the debugging utilities of gpg to extract these
-    # fields since they are not encrypted and still readable without decrypting the signature first
-    packets = subprocess.check_output(["gpg", "--list-packets"], input=signature_raw).decode()
-    sig_json["signing_key_id"] = KEY_ID_REGEX_COMPILED.search(packets).group(1)
-    sig_json["signature_timestamp"] = TIMESTAMP_REGEX_COMPILED.search(packets).group(1)
+        raise ValueError("The signature for {} is not synced due to: {}".format(man_digest, errors))
+
+    sig_json["signing_key_id"] = signing_key_id
+    sig_json["signing_key_fingerprint"] = signing_key_fingerprint
+    sig_json["signature_timestamp"] = signature_timestamp
 
     return sig_json
 

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/app/viewsets.py

@@ -45,7 +45,6 @@ from pulpcore.plugin.viewsets import (
 
 from pulp_container.app import models, serializers, tasks
 
-
 log = logging.getLogger(__name__)
 
 

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/constants.py

@@ -1,6 +1,5 @@
 from types import SimpleNamespace
 
-
 MEDIA_TYPE = SimpleNamespace(
     MANIFEST_V1="application/vnd.docker.distribution.manifest.v1+json",
     MANIFEST_V1_SIGNED="application/vnd.docker.distribution.manifest.v1+prettyjws",

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/tests/functional/api/test_build_images.py

@@ -10,13 +10,11 @@ from pulp_container.constants import MANIFEST_TYPE
 def containerfile_name():
     """A fixture for a basic container file used for building images."""
     with NamedTemporaryFile() as containerfile:
-        containerfile.write(
-            b"""FROM quay.io/quay/busybox:latest
+        containerfile.write(b"""FROM quay.io/quay/busybox:latest
 # Copy a file using COPY statement. Use the relative path specified in the 'artifacts' parameter.
 COPY foo/bar/example.txt /tmp/inside-image.txt
 # Print the content of the file when the container starts
-CMD ["cat", "/tmp/inside-image.txt"]"""
-        )
+CMD ["cat", "/tmp/inside-image.txt"]""")
         containerfile.flush()
         yield containerfile.name
 
@@ -215,11 +213,9 @@ def test_without_build_context(
 
     def containerfile_without_context_files():
         with NamedTemporaryFile() as containerfile:
-            containerfile.write(
-                b"""FROM quay.io/quay/busybox:latest
+            containerfile.write(b"""FROM quay.io/quay/busybox:latest
 # Print the content of the file when the container starts
-CMD ["ls", "/"]"""
-            )
+CMD ["ls", "/"]""")
             containerfile.flush()
             yield containerfile.name
 

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/tests/functional/api/test_crud_remotes.py

@@ -6,7 +6,6 @@ import uuid
 
 from pulp_container.tests.functional.conftest import gen_container_remote
 
-
 ON_DEMAND_DOWNLOAD_POLICIES = ("on_demand", "streamed")
 
 

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/tests/functional/api/test_flatpak.py

@@ -5,7 +5,6 @@ import subprocess
 
 from pulp_container.tests.functional.constants import REGISTRY_V2
 
-
 pytestmark = pytest.mark.skip(reason="TLS is broken currently. TODO: Fix")
 
 

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container/tests/functional/api/test_sync_signatures.py

@@ -9,6 +9,9 @@ IMAGE_MANIFEST_TAG = "7.9-511-source"
 MANIFEST_LIST_TAG = "7.9"
 SIGSTORE_URL = "https://access.redhat.com/webassets/docker/content/sigstore"
 
+UBI10_MICRO_REPOSITORY_NAME = "ubi10-micro"
+UBI10_MICRO_TAG = "latest"
+
 
 @pytest.fixture
 def synced_repository(
@@ -120,3 +123,66 @@ def test_sync_images_without_sigstore_requiring_signatures(container_bindings, s
         repository_version=synced_repository.latest_version_href
     ).results
     assert len(tags) == 0
+
+
+def test_sync_image_with_pqc_signatures(
+    delete_orphans_pre,
+    container_repo,
+    container_remote_factory,
+    container_bindings,
+    monitor_task,
+):
+    """Sync ubi10-micro:latest from registry.access.redhat.com with all signatures."""
+    data = gen_container_remote(
+        url=REDHAT_REGISTRY_V2,
+        upstream_name=UBI10_MICRO_REPOSITORY_NAME,
+        policy="on_demand",
+        include_tags=[UBI10_MICRO_TAG],
+        sigstore=SIGSTORE_URL,
+    )
+    remote = container_remote_factory(**data)
+
+    sync_data = {"remote": remote.pulp_href, "signed_only": False}
+    response = container_bindings.RepositoriesContainerApi.sync(container_repo.pulp_href, sync_data)
+    monitor_task(response.task)
+
+    repo = container_bindings.RepositoriesContainerApi.read(container_repo.pulp_href)
+
+    tags = container_bindings.ContentTagsApi.list(
+        repository_version=repo.latest_version_href
+    ).results
+    assert len(tags) == 1
+    assert tags[0].name == UBI10_MICRO_TAG
+
+    signatures = container_bindings.ContentSignaturesApi.list(
+        repository_version=repo.latest_version_href
+    ).results
+    assert len(signatures) > 0
+
+    # Assert that a signature using one of the "old" Red Hat signing release keys exist
+    expected_key_ids = ["199E2F91FD431D51", "E60D446E63405576"]
+    assert any(s.key_id in expected_key_ids for s in signatures), (
+        f"No signature found with key_ids {expected_key_ids}; "
+        f"found key_ids: {sorted({s.key_id for s in signatures})}"
+    )
+
+    # Assert that a signature using the Red Hat PQC (ML-DSA-87) signing key exists
+    # Fingerprint: FCD355B305707A62DA143AB6E422397E50FE8467A2A95343D246D6276AFEDF8F
+    # Key ID => first 8 bytes (16 hex chars)
+    expected_key_id = "FCD355B305707A62"
+    assert any(s.key_id == expected_key_id for s in signatures), (
+        f"No signature found with key_id {expected_key_id!r}; "
+        f"found key_ids: {sorted({s.key_id for s in signatures})}"
+    )
+
+    # ubi10-micro:latest is a manifest list; collect all listed manifests and verify
+    # that each has at least one signature
+    manifest_list = container_bindings.ContentManifestsApi.read(tags[0].tagged_manifest)
+    listed_manifests = [
+        container_bindings.ContentManifestsApi.read(lm_href)
+        for lm_href in manifest_list.listed_manifests
+    ]
+    for lm in listed_manifests:
+        lm_signatures = [s for s in signatures if s.signed_manifest == lm.pulp_href]
+        assert len(lm_signatures) > 0, f"No signatures found for manifest {lm.digest}"
+        assert all(s.name.startswith(lm.digest) for s in lm_signatures)

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pulp-container
-Version: 2.27.2
+Version: 2.27.4
 Summary: Container plugin for the Pulp Project
 Author-email: Pulp Team <pulp-list@redhat.com>
 Project-URL: Homepage, https://pulpproject.org
@@ -20,4 +20,5 @@ License-File: LICENSE
 Requires-Dist: jsonschema<4.26,>=4.4
 Requires-Dist: pulpcore<3.115,>=3.73.2
 Requires-Dist: pyjwt[crypto]<2.11,>=2.4
+Requires-Dist: pysequoia==0.1.32
 Dynamic: license-file

{pulp_container-2.27.2 → pulp_container-2.27.4}/pulp_container.egg-info/requires.txt

@@ -1,3 +1,4 @@
 jsonschema<4.26,>=4.4
 pulpcore<3.115,>=3.73.2
 pyjwt[crypto]<2.11,>=2.4
+pysequoia==0.1.32

{pulp_container-2.27.2 → pulp_container-2.27.4}/pyproject.toml

@@ -7,7 +7,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = "pulp-container"
-version = "2.27.2"
+version = "2.27.4"
 description = "Container plugin for the Pulp Project"
 readme = "README.md"
 authors = [
@@ -26,6 +26,7 @@ dependencies = [
   "jsonschema>=4.4,<4.26",
   "pulpcore>=3.73.2,<3.115",
   "pyjwt[crypto]>=2.4,<2.11",
+  "pysequoia==0.1.32",
 ]
 
 [project.urls]
@@ -81,12 +82,14 @@ ignore = [
     ".github/**",
     "lint_requirements.txt",
     ".flake8",
+    "AGENTS.md",
+    "CLAUDE.md",
 ]
 
 [tool.bumpversion]
 # This section is managed by the plugin template. Do not edit manually.
 
-current_version = "2.27.2"
+current_version = "2.27.4"
 commit = false
 tag = false
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<alpha>0a)?(?P<patch>\\d+)(\\.(?P<release>[a-z]+))?"

pulp_container-2.27.2/pulp_container/app/__init__.py

@@ -1,15 +0,0 @@
-from pulpcore.plugin import PulpPluginAppConfig
-
-
-class PulpContainerPluginAppConfig(PulpPluginAppConfig):
-    """Entry point for the container plugin."""
-
-    name = "pulp_container.app"
-    label = "container"
-    version = "2.27.2"
-    python_package_name = "pulp-container"
-    domain_compatible = True
-
-    def ready(self):
-        super().ready()
-        from . import checks