osbs: optionally check GPG signatures

If gpgkey option is defined in config, set gpgcheck=1 and set
gpgkey=<value> in variant repo files.

Fixes: #487
Signed-off-by: Qixiang Wan <qwan@redhat.com>

doc/configuration.rst

@@ -1253,7 +1253,8 @@ they are not scratch builds).
     A value for ``yum_repourls`` will be created automatically and point at a
     repository in the current compose. You can add extra repositories with
     ``repo`` key having a list of urls pointing to ``.repo`` files or
-    ``repo_from`` as a list of variants in current compose.
+    ``repo_from`` as a list of variants in current compose. ``gpgkey`` can be
+    specified to enable gpgcheck in repo files for variants.
 
 
 Example config
@@ -1273,6 +1274,7 @@ Example config
             "repo_from": ["Everything"],
             # This will result in three repo urls being passed to the task.
             # They will be in this order: Server, Everything, example.com/
+            "gpgkey": 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release',
         }
     }
 

pungi/checks.py

@@ -831,6 +831,7 @@ def _make_schema():
                             "priority": {"type": "number"},
                             "repo": {"$ref": "#/definitions/strings"},
                             "repo_from": {"$ref": "#/definitions/strings"},
+                            "gpgkey": {"type": "string"},
                         },
                         "required": ["url", "target"]
                     }

pungi/phases/osbs.py

@@ -55,7 +55,8 @@ class OSBSThread(WorkerThread):
         target = config.pop('target')
         priority = config.pop('priority', None)
         repos = shortcuts.force_list(config.pop('repo', []))
-        compose_repos = [self._get_repo(compose, v)
+        gpgkey = config.pop('gpgkey', None)
+        compose_repos = [self._get_repo(compose, v, gpgkey=gpgkey)
                          for v in [variant.uid] + shortcuts.force_list(
                              config.pop('repo_from', []))]
 
@@ -107,7 +108,7 @@ class OSBSThread(WorkerThread):
             self.pool.metadata.setdefault(
                 variant.uid, {}).setdefault(arch, []).append(data)
 
-    def _get_repo(self, compose, variant_uid):
+    def _get_repo(self, compose, variant_uid, gpgkey=None):
         """
         Write a .repo file pointing to current variant and return URL to the
         file.
@@ -123,11 +124,14 @@ class OSBSThread(WorkerThread):
         repo_file = os.path.join(compose.paths.work.tmp_dir(None, variant),
                                  'compose-rpms-%s.repo' % self.num)
 
+        gpgcheck = 1 if gpgkey else 0
         with open(repo_file, 'w') as f:
             f.write('[%s]\n' % compose.compose_id)
             f.write('name=Compose %s (RPMs)\n' % compose.compose_id)
             f.write('baseurl=%s\n' % translate_path(compose, os_tree))
             f.write('enabled=1\n')
-            f.write('gpgcheck=0\n')
+            f.write('gpgcheck=%s\n' % gpgcheck)
+            if gpgcheck:
+                f.write('gpgkey=%s\n' % gpgkey)
 
         return translate_path(compose, repo_file)

tests/test_osbs_phase.py

@@ -194,12 +194,15 @@ class OSBSThreadTest(helpers.PungiTestCase):
                 mock.call.koji_proxy.getBuild(54321),
                 mock.call.koji_proxy.listArchives(54321)])
 
-    def _assertRepoFile(self, variants=None):
+    def _assertRepoFile(self, variants=None, gpgkey=None):
         variants = variants or ['Server']
         for variant in variants:
             with open(self.topdir + '/work/global/tmp-%s/compose-rpms-1.repo' % variant) as f:
                 lines = f.read().split('\n')
                 self.assertIn('baseurl=http://root/compose/%s/$basearch/os' % variant, lines)
+                if gpgkey:
+                    self.assertIn('gpgcheck=1', lines)
+                    self.assertIn('gpgkey=%s' % gpgkey, lines)
 
     def _assertConfigCorrect(self, cfg):
         config = copy.deepcopy(self.compose.conf)
@@ -327,6 +330,26 @@ class OSBSThreadTest(helpers.PungiTestCase):
         self._assertCorrectMetadata()
         self._assertRepoFile(['Server', 'Everything', 'Client'])
 
+    @mock.patch('pungi.util.resolve_git_url')
+    @mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
+    def test_run_with_gpgkey_enabled(self, KojiWrapper, resolve_git_url):
+        gpgkey = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release'
+        cfg = {
+            'url': 'git://example.com/repo?#HEAD',
+            'target': 'f24-docker-candidate',
+            'name': 'my-name',
+            'version': '1.0',
+            'repo': ['http://pkgs.example.com/my.repo'],
+            'repo_from': ['Everything', 'Client'],
+            'gpgkey': gpgkey,
+        }
+        self._assertConfigCorrect(cfg)
+        self._setupMock(KojiWrapper, resolve_git_url)
+
+        self.t.process((self.compose, self.compose.variants['Server'], cfg), 1)
+
+        self._assertRepoFile(['Server', 'Everything', 'Client'], gpgkey=gpgkey)
+
     @mock.patch('pungi.util.resolve_git_url')
     @mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
     def test_run_with_extra_repos_missing_variant(self, KojiWrapper, resolve_git_url):