pkgset: Remove reuse file when packages are not signed
In such case we never want to reuse the pkgset, as it risks leaking unsigned packages. Safest option is to remove the file completely. Fixes: https://pagure.io/pungi/issue/1480 JIRA: RHELCMP-3720 Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
This commit is contained in:
parent
c87fce30ac
commit
49a5661521
@ -35,6 +35,10 @@ from pungi.util import pkg_is_srpm, copy_all
|
|||||||
from pungi.arch import get_valid_arches, is_excluded
|
from pungi.arch import get_valid_arches, is_excluded
|
||||||
|
|
||||||
|
|
||||||
|
class UnsignedPackagesError(RuntimeError):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
class ExtendedRpmWrapper(kobo.pkgset.SimpleRpmWrapper):
|
class ExtendedRpmWrapper(kobo.pkgset.SimpleRpmWrapper):
|
||||||
"""
|
"""
|
||||||
ExtendedRpmWrapper extracts only certain RPM fields instead of
|
ExtendedRpmWrapper extracts only certain RPM fields instead of
|
||||||
@ -144,7 +148,7 @@ class PackageSetBase(kobo.log.LoggingBase):
|
|||||||
|
|
||||||
def raise_invalid_sigkeys_exception(self, rpminfos):
|
def raise_invalid_sigkeys_exception(self, rpminfos):
|
||||||
"""
|
"""
|
||||||
Raises RuntimeError containing details of RPMs with invalid
|
Raises UnsignedPackagesError containing details of RPMs with invalid
|
||||||
sigkeys defined in `rpminfos`.
|
sigkeys defined in `rpminfos`.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@ -166,7 +170,9 @@ class PackageSetBase(kobo.log.LoggingBase):
|
|||||||
|
|
||||||
if not isinstance(rpminfos, dict):
|
if not isinstance(rpminfos, dict):
|
||||||
rpminfos = {self.sigkey_ordering: rpminfos}
|
rpminfos = {self.sigkey_ordering: rpminfos}
|
||||||
raise RuntimeError("\n".join(get_error(k, v) for k, v in rpminfos.items()))
|
raise UnsignedPackagesError(
|
||||||
|
"\n".join(get_error(k, v) for k, v in rpminfos.items())
|
||||||
|
)
|
||||||
|
|
||||||
def read_packages(self, rpms, srpms):
|
def read_packages(self, rpms, srpms):
|
||||||
srpm_pool = ReaderPool(self, self._logger)
|
srpm_pool = ReaderPool(self, self._logger)
|
||||||
|
@ -5,6 +5,7 @@ from __future__ import print_function
|
|||||||
|
|
||||||
import argparse
|
import argparse
|
||||||
import getpass
|
import getpass
|
||||||
|
import glob
|
||||||
import json
|
import json
|
||||||
import locale
|
import locale
|
||||||
import logging
|
import logging
|
||||||
@ -327,12 +328,20 @@ def main():
|
|||||||
)
|
)
|
||||||
notifier.compose = compose
|
notifier.compose = compose
|
||||||
COMPOSE = compose
|
COMPOSE = compose
|
||||||
run_compose(
|
try:
|
||||||
compose,
|
run_compose(
|
||||||
create_latest_link=create_latest_link,
|
compose,
|
||||||
latest_link_status=latest_link_status,
|
create_latest_link=create_latest_link,
|
||||||
latest_link_components=latest_link_components,
|
latest_link_status=latest_link_status,
|
||||||
)
|
latest_link_components=latest_link_components,
|
||||||
|
)
|
||||||
|
except pungi.phases.pkgset.pkgsets.UnsignedPackagesError:
|
||||||
|
# There was an unsigned package somewhere. It is not safe to reuse any
|
||||||
|
# package set from this compose (since we could leak the unsigned
|
||||||
|
# package). Let's make sure all reuse files are deleted.
|
||||||
|
for fp in glob.glob(compose.paths.work.pkgset_reuse_file("*")):
|
||||||
|
os.unlink(fp)
|
||||||
|
raise
|
||||||
|
|
||||||
|
|
||||||
def run_compose(
|
def run_compose(
|
||||||
|
Loading…
Reference in New Issue
Block a user