Automatically verify Packages on secondaries

Problem to solve

PackageFiles are checksummed on the primary: #13839 (closed). And blob data types are checksummed on the secondary after download, compared with the primary, and the download is failed if checksums mismatch. But:

• PackageFile verification state on secondaries is not persisted
• Some new PackageFiles are not verified on transfer. E.g. because the file was too large to get checksummed synchronously on the primary. Or e.g. because there are many existing PackageFiles that are not yet checksummed on the primary that are being backfilled.

We need secondaries to "backfill" verification states in PackageFileRegistry.

Intended users

• System administrators

Proposal

• Reuse Gitlab::Geo::VerificationState on PackageFileRegistry
• Update VerifiableReplicator#verify_batch and VerifiableReplicator#verify to work on secondaries (especially, they need to compare the calculated checksum with the primary)

Permissions and Security

Documentation

Testing

• Unit and feature tests for new code

What does success look like, and how can we measure that?

• Backfill verification for all PackageFiles.
• Automatically run verification for new PackageFiles that were not verified on transfer (e.g. because the file was too large to get checksummed synchronously on the primary).

What is the type of buyer?

• Premium
• Ultimate

Links / references