From aef48c0ab4d619a7fbc30ce6c9fec9474c381d5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubom=C3=ADr=20Sedl=C3=A1=C5=99?= Date: Mon, 5 Aug 2024 10:48:50 +0200 Subject: [PATCH] Drop support for signing rpm-wrapped artifacts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was only usable in live_images phase that doesn't exist anymore, and wasn't used much in the first place. Signed-off-by: Lubomír Sedlář (cherry picked from commit 0726a4dca7116b672a77d579f9968e59a5aa5df9) --- doc/configuration.rst | 37 ------------------------------- pungi/checks.py | 3 --- pungi/scripts/pungi_koji.py | 43 ------------------------------------- 3 files changed, 83 deletions(-) diff --git a/doc/configuration.rst b/doc/configuration.rst index a23d9dc1..9bbe2d2f 100644 --- a/doc/configuration.rst +++ b/doc/configuration.rst @@ -354,43 +354,6 @@ Example } -Signing -======= - -If you want to sign deliverables generated during pungi run like RPM wrapped -images. You must provide few configuration options: - -**signing_command** [optional] - (*str*) -- Command that will be run with a koji build as a single - argument. This command must not require any user interaction. - If you need to pass a password for a signing key to the command, - do this via command line option of the command and use string - formatting syntax ``%(signing_key_password)s``. - (See **signing_key_password_file**). - -**signing_key_id** [optional] - (*str*) -- ID of the key that will be used for the signing. - This ID will be used when crafting koji paths to signed files - (``kojipkgs.fedoraproject.org/packages/NAME/VER/REL/data/signed/KEYID/..``). - -**signing_key_password_file** [optional] - (*str*) -- Path to a file with password that will be formatted - into **signing_command** string via ``%(signing_key_password)s`` - string format syntax (if used). - Because pungi config is usually stored in git and is part of compose - logs we don't want password to be included directly in the config. - Note: If ``-`` string is used instead of a filename, then you will be asked - for the password interactivelly right after pungi starts. - -Example -------- -:: - - signing_command = '~/git/releng/scripts/sigulsign_unsigned.py -vv --password=%(signing_key_password)s fedora-24' - signing_key_id = '81b46521' - signing_key_password_file = '~/password_for_fedora-24_key' - - .. _git-urls: Git URLs diff --git a/pungi/checks.py b/pungi/checks.py index baa9d873..1ee614a7 100644 --- a/pungi/checks.py +++ b/pungi/checks.py @@ -1418,9 +1418,6 @@ def make_schema(): {"$ref": "#/definitions/strings"} ), "lorax_use_koji_plugin": {"type": "boolean", "default": False}, - "signing_key_id": {"type": "string"}, - "signing_key_password_file": {"type": "string"}, - "signing_command": {"type": "string"}, "productimg": { "deprecated": "remove it. Productimg phase has been removed" }, diff --git a/pungi/scripts/pungi_koji.py b/pungi/scripts/pungi_koji.py index 71a32ad7..299c6a3d 100644 --- a/pungi/scripts/pungi_koji.py +++ b/pungi/scripts/pungi_koji.py @@ -471,49 +471,6 @@ def run_compose( print(i) raise RuntimeError("Configuration is not valid") - # PREP - - # Note: This may be put into a new method of phase classes (e.g. .prep()) - # in same way as .validate() or .run() - - # Prep for liveimages - Obtain a password for signing rpm wrapped images - if ( - "signing_key_password_file" in compose.conf - and "signing_command" in compose.conf - and "%(signing_key_password)s" in compose.conf["signing_command"] - ): - # TODO: Don't require key if signing is turned off - # Obtain signing key password - signing_key_password = None - - # Use appropriate method - if compose.conf["signing_key_password_file"] == "-": - # Use stdin (by getpass module) - try: - signing_key_password = getpass.getpass("Signing key password: ") - except EOFError: - compose.log_debug("Ignoring signing key password") - pass - else: - # Use text file with password - try: - signing_key_password = ( - open(compose.conf["signing_key_password_file"], "r") - .readline() - .rstrip("\n") - ) - except IOError: - # Filename is not print intentionally in case someone puts - # password directly into the option - err_msg = "Cannot load password from file specified by 'signing_key_password_file' option" # noqa: E501 - compose.log_error(err_msg) - print(err_msg) - raise RuntimeError(err_msg) - - if signing_key_password: - # Store the password - compose.conf["signing_key_password"] = signing_key_password - init_phase.start() init_phase.stop()