pkgset: Remove reuse file when packages are not signed

In such case we never want to reuse the pkgset, as it risks leaking
unsigned packages. Safest option is to remove the file completely.

Fixes: https://pagure.io/pungi/issue/1480
JIRA: RHELCMP-3720
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
This commit is contained in:
Lubomír Sedlář 2021-01-08 14:34:34 +01:00
parent c87fce30ac
commit 49a5661521
2 changed files with 23 additions and 8 deletions

View File

@ -35,6 +35,10 @@ from pungi.util import pkg_is_srpm, copy_all
from pungi.arch import get_valid_arches, is_excluded from pungi.arch import get_valid_arches, is_excluded
class UnsignedPackagesError(RuntimeError):
pass
class ExtendedRpmWrapper(kobo.pkgset.SimpleRpmWrapper): class ExtendedRpmWrapper(kobo.pkgset.SimpleRpmWrapper):
""" """
ExtendedRpmWrapper extracts only certain RPM fields instead of ExtendedRpmWrapper extracts only certain RPM fields instead of
@ -144,7 +148,7 @@ class PackageSetBase(kobo.log.LoggingBase):
def raise_invalid_sigkeys_exception(self, rpminfos): def raise_invalid_sigkeys_exception(self, rpminfos):
""" """
Raises RuntimeError containing details of RPMs with invalid Raises UnsignedPackagesError containing details of RPMs with invalid
sigkeys defined in `rpminfos`. sigkeys defined in `rpminfos`.
""" """
@ -166,7 +170,9 @@ class PackageSetBase(kobo.log.LoggingBase):
if not isinstance(rpminfos, dict): if not isinstance(rpminfos, dict):
rpminfos = {self.sigkey_ordering: rpminfos} rpminfos = {self.sigkey_ordering: rpminfos}
raise RuntimeError("\n".join(get_error(k, v) for k, v in rpminfos.items())) raise UnsignedPackagesError(
"\n".join(get_error(k, v) for k, v in rpminfos.items())
)
def read_packages(self, rpms, srpms): def read_packages(self, rpms, srpms):
srpm_pool = ReaderPool(self, self._logger) srpm_pool = ReaderPool(self, self._logger)

View File

@ -5,6 +5,7 @@ from __future__ import print_function
import argparse import argparse
import getpass import getpass
import glob
import json import json
import locale import locale
import logging import logging
@ -327,12 +328,20 @@ def main():
) )
notifier.compose = compose notifier.compose = compose
COMPOSE = compose COMPOSE = compose
run_compose( try:
compose, run_compose(
create_latest_link=create_latest_link, compose,
latest_link_status=latest_link_status, create_latest_link=create_latest_link,
latest_link_components=latest_link_components, latest_link_status=latest_link_status,
) latest_link_components=latest_link_components,
)
except pungi.phases.pkgset.pkgsets.UnsignedPackagesError:
# There was an unsigned package somewhere. It is not safe to reuse any
# package set from this compose (since we could leak the unsigned
# package). Let's make sure all reuse files are deleted.
for fp in glob.glob(compose.paths.work.pkgset_reuse_file("*")):
os.unlink(fp)
raise
def run_compose( def run_compose(