Make quetz content trust plugin work with mamba

Author: Hind-M

plugins/quetz_content_trust/quetz_content_trust/main.py

@@ -44,8 +44,27 @@ def post_index_creation(raw_repodata: dict, channel_name, subdir):
                 "packages.conda", {}
             )
             for name, metadata in packages.items():
+                # Only sign the relevant metadata
+                signable_metadata_keys = [
+                    "build",
+                    "build_number",
+                    "constrains",
+                    "depends",
+                    "license",
+                    "name",
+                    "version",
+                    "subdir",
+                    "size",
+                    "timestamp",
+                    "md5",
+                    "sha256",
+                ]
+                metadata_to_sign = {
+                    k: metadata[k] for k in signable_metadata_keys if k in metadata
+                }
                 sig = libmamba_api.sign(
-                    json.dumps(metadata, indent=2, sort_keys=True), query[0].private_key
+                    json.dumps(metadata_to_sign, indent=2, sort_keys=True),
+                    query[0].private_key,
                 )
                 if name not in signatures:
                     signatures[name] = {}

quetz/repo_data.py

@@ -4,6 +4,7 @@
 import json
 
 from quetz import db_models
+from quetz.condainfo import MAX_CONDA_TIMESTAMP
 
 
 def export(dao, channel_name, subdir):
@@ -22,6 +23,9 @@ def export(dao, channel_name, subdir):
         ):
             data = json.loads(info)
             data['time_modified'] = int(time_modified.timestamp())
+            if 'timestamp' in data and data['timestamp'] > MAX_CONDA_TIMESTAMP:
+                # Convert timestamp from milliseconds to seconds
+                data['timestamp'] //= 1000
             if format == db_models.PackageFormatEnum.conda:
                 packages_conda[filename] = data
             else: