osbs: optionally check GPG signatures
If gpgkey option is defined in config, set gpgcheck=1 and set gpgkey=<value> in variant repo files. Fixes: #487 Signed-off-by: Qixiang Wan <qwan@redhat.com>
This commit is contained in:
parent
5d241d316a
commit
a9b275f13b
@ -1253,7 +1253,8 @@ they are not scratch builds).
|
||||
A value for ``yum_repourls`` will be created automatically and point at a
|
||||
repository in the current compose. You can add extra repositories with
|
||||
``repo`` key having a list of urls pointing to ``.repo`` files or
|
||||
``repo_from`` as a list of variants in current compose.
|
||||
``repo_from`` as a list of variants in current compose. ``gpgkey`` can be
|
||||
specified to enable gpgcheck in repo files for variants.
|
||||
|
||||
|
||||
Example config
|
||||
@ -1273,6 +1274,7 @@ Example config
|
||||
"repo_from": ["Everything"],
|
||||
# This will result in three repo urls being passed to the task.
|
||||
# They will be in this order: Server, Everything, example.com/
|
||||
"gpgkey": 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release',
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -831,6 +831,7 @@ def _make_schema():
|
||||
"priority": {"type": "number"},
|
||||
"repo": {"$ref": "#/definitions/strings"},
|
||||
"repo_from": {"$ref": "#/definitions/strings"},
|
||||
"gpgkey": {"type": "string"},
|
||||
},
|
||||
"required": ["url", "target"]
|
||||
}
|
||||
|
@ -55,7 +55,8 @@ class OSBSThread(WorkerThread):
|
||||
target = config.pop('target')
|
||||
priority = config.pop('priority', None)
|
||||
repos = shortcuts.force_list(config.pop('repo', []))
|
||||
compose_repos = [self._get_repo(compose, v)
|
||||
gpgkey = config.pop('gpgkey', None)
|
||||
compose_repos = [self._get_repo(compose, v, gpgkey=gpgkey)
|
||||
for v in [variant.uid] + shortcuts.force_list(
|
||||
config.pop('repo_from', []))]
|
||||
|
||||
@ -107,7 +108,7 @@ class OSBSThread(WorkerThread):
|
||||
self.pool.metadata.setdefault(
|
||||
variant.uid, {}).setdefault(arch, []).append(data)
|
||||
|
||||
def _get_repo(self, compose, variant_uid):
|
||||
def _get_repo(self, compose, variant_uid, gpgkey=None):
|
||||
"""
|
||||
Write a .repo file pointing to current variant and return URL to the
|
||||
file.
|
||||
@ -123,11 +124,14 @@ class OSBSThread(WorkerThread):
|
||||
repo_file = os.path.join(compose.paths.work.tmp_dir(None, variant),
|
||||
'compose-rpms-%s.repo' % self.num)
|
||||
|
||||
gpgcheck = 1 if gpgkey else 0
|
||||
with open(repo_file, 'w') as f:
|
||||
f.write('[%s]\n' % compose.compose_id)
|
||||
f.write('name=Compose %s (RPMs)\n' % compose.compose_id)
|
||||
f.write('baseurl=%s\n' % translate_path(compose, os_tree))
|
||||
f.write('enabled=1\n')
|
||||
f.write('gpgcheck=0\n')
|
||||
f.write('gpgcheck=%s\n' % gpgcheck)
|
||||
if gpgcheck:
|
||||
f.write('gpgkey=%s\n' % gpgkey)
|
||||
|
||||
return translate_path(compose, repo_file)
|
||||
|
@ -194,12 +194,15 @@ class OSBSThreadTest(helpers.PungiTestCase):
|
||||
mock.call.koji_proxy.getBuild(54321),
|
||||
mock.call.koji_proxy.listArchives(54321)])
|
||||
|
||||
def _assertRepoFile(self, variants=None):
|
||||
def _assertRepoFile(self, variants=None, gpgkey=None):
|
||||
variants = variants or ['Server']
|
||||
for variant in variants:
|
||||
with open(self.topdir + '/work/global/tmp-%s/compose-rpms-1.repo' % variant) as f:
|
||||
lines = f.read().split('\n')
|
||||
self.assertIn('baseurl=http://root/compose/%s/$basearch/os' % variant, lines)
|
||||
if gpgkey:
|
||||
self.assertIn('gpgcheck=1', lines)
|
||||
self.assertIn('gpgkey=%s' % gpgkey, lines)
|
||||
|
||||
def _assertConfigCorrect(self, cfg):
|
||||
config = copy.deepcopy(self.compose.conf)
|
||||
@ -327,6 +330,26 @@ class OSBSThreadTest(helpers.PungiTestCase):
|
||||
self._assertCorrectMetadata()
|
||||
self._assertRepoFile(['Server', 'Everything', 'Client'])
|
||||
|
||||
@mock.patch('pungi.util.resolve_git_url')
|
||||
@mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
|
||||
def test_run_with_gpgkey_enabled(self, KojiWrapper, resolve_git_url):
|
||||
gpgkey = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release'
|
||||
cfg = {
|
||||
'url': 'git://example.com/repo?#HEAD',
|
||||
'target': 'f24-docker-candidate',
|
||||
'name': 'my-name',
|
||||
'version': '1.0',
|
||||
'repo': ['http://pkgs.example.com/my.repo'],
|
||||
'repo_from': ['Everything', 'Client'],
|
||||
'gpgkey': gpgkey,
|
||||
}
|
||||
self._assertConfigCorrect(cfg)
|
||||
self._setupMock(KojiWrapper, resolve_git_url)
|
||||
|
||||
self.t.process((self.compose, self.compose.variants['Server'], cfg), 1)
|
||||
|
||||
self._assertRepoFile(['Server', 'Everything', 'Client'], gpgkey=gpgkey)
|
||||
|
||||
@mock.patch('pungi.util.resolve_git_url')
|
||||
@mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
|
||||
def test_run_with_extra_repos_missing_variant(self, KojiWrapper, resolve_git_url):
|
||||
|
Loading…
Reference in New Issue
Block a user