almalinux
/
pungi
15
1
Fork 0
Code Issues Pull Requests Releases Activity

ALBS-732: pungi: do not build anything if unsigned packages found

This commit is contained in:
soksanichenko 2022-11-07 22:15:16 +02:00
parent ff946d3f7b
commit 590240c0a1
1 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pungi/phases/pkgset/pkgsets.py
View File

@ -22,6 +22,9 @@ It automatically finds a signed copies according to *sigkey_ordering*.
import itertools import itertools
import json import json
import os import os
import pgpy
import rpm
from six.moves import cPickle as pickle from six.moves import cPickle as pickle
import kobo.log import kobo.log
@ -493,8 +496,6 @@ class KojiPackageSet(PackageSetBase):
return response return response
def get_package_path(self, queue_item): def get_package_path(self, queue_item):
rpm_info, build_info = queue_item rpm_info, build_info = queue_item
@ -834,7 +835,7 @@ class KojiMockPackageSet(PackageSetBase):
and include in the package set. Useful when building testing compose and include in the package set. Useful when building testing compose
with RPM scratch builds. with RPM scratch builds.
""" """
super(KojiMockPackageSet , self).__init__( super(KojiMockPackageSet, self).__init__(
name, name,
sigkey_ordering=sigkey_ordering, sigkey_ordering=sigkey_ordering,
arches=arches, arches=arches,
@ -849,6 +850,8 @@ class KojiMockPackageSet(PackageSetBase):
self.extra_builds = extra_builds or [] self.extra_builds = extra_builds or []
self.extra_tasks = extra_tasks or [] self.extra_tasks = extra_tasks or []
self.reuse = None self.reuse = None
self.sigkey_ordering = [sigkey.lower() for sigkey in sigkey_ordering] \
or [None]
def __getstate__(self): def __getstate__(self):
result = self.__dict__.copy() result = self.__dict__.copy()
@ -965,6 +968,20 @@ class KojiMockPackageSet(PackageSetBase):
return response return response
def _is_rpm_signed(self, rpm_path) -> bool:
ts = rpm.TransactionSet()
ts.setVSFlags(rpm._RPMVSF_NOSIGNATURES)
with open(rpm_path, 'rb') as fd:
header = ts.hdrFromFdno(fd)
signature = header[rpm.RPMTAG_SIGGPG] or header[rpm.RPMTAG_SIGPGP]
if not signature:
return False
pgp_msg = pgpy.PGPMessage.from_blob(signature)
return any(
signature.signer.lower() in self.sigkey_ordering
for signature in pgp_msg.signatures
)
def get_package_path(self, queue_item): def get_package_path(self, queue_item):
rpm_info, build_info = queue_item rpm_info, build_info = queue_item
@ -982,6 +999,13 @@ class KojiMockPackageSet(PackageSetBase):
rpm_path = os.path.join(pathinfo.topdir, pathinfo.rpm(rpm_info)) rpm_path = os.path.join(pathinfo.topdir, pathinfo.rpm(rpm_info))
if os.path.isfile(rpm_path): if os.path.isfile(rpm_path):
if not self._is_rpm_signed(rpm_path):
self._invalid_sigkey_rpms.append(rpm_info)
self.log_error(
'RPM "%s" not found for sigs: "%s". Path checked: "%s"',
rpm_info, self.sigkey_ordering, rpm_path
)
return
return rpm_path return rpm_path
else: else:
self.log_warning("RPM %s not found" % rpm_path) self.log_warning("RPM %s not found" % rpm_path)