Drop support for signing rpm-wrapped artifacts
This was only usable in live_images phase that doesn't exist anymore,
and wasn't used much in the first place.
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
(cherry picked from commit 0726a4dca7)
This commit is contained in:
Lubomír Sedlář
parent
bd91ef1d10
commit
aef48c0ab4
GPG Key ID:
AB9983172AB1E45B
@ -354,43 +354,6 @@ Example
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
Signing
|
|
||||||
=======
|
|
||||||
|
|
||||||
If you want to sign deliverables generated during pungi run like RPM wrapped
|
|
||||||
images. You must provide few configuration options:
|
|
||||||
|
|
||||||
**signing_command** [optional]
|
|
||||||
(*str*) -- Command that will be run with a koji build as a single
|
|
||||||
argument. This command must not require any user interaction.
|
|
||||||
If you need to pass a password for a signing key to the command,
|
|
||||||
do this via command line option of the command and use string
|
|
||||||
formatting syntax ``%(signing_key_password)s``.
|
|
||||||
(See **signing_key_password_file**).
|
|
||||||
|
|
||||||
**signing_key_id** [optional]
|
|
||||||
(*str*) -- ID of the key that will be used for the signing.
|
|
||||||
This ID will be used when crafting koji paths to signed files
|
|
||||||
(``kojipkgs.fedoraproject.org/packages/NAME/VER/REL/data/signed/KEYID/..``).
|
|
||||||
|
|
||||||
**signing_key_password_file** [optional]
|
|
||||||
(*str*) -- Path to a file with password that will be formatted
|
|
||||||
into **signing_command** string via ``%(signing_key_password)s``
|
|
||||||
string format syntax (if used).
|
|
||||||
Because pungi config is usually stored in git and is part of compose
|
|
||||||
logs we don't want password to be included directly in the config.
|
|
||||||
Note: If ``-`` string is used instead of a filename, then you will be asked
|
|
||||||
for the password interactivelly right after pungi starts.
|
|
||||||
|
|
||||||
Example
|
|
||||||
-------
|
|
||||||
::
|
|
||||||
|
|
||||||
signing_command = '~/git/releng/scripts/sigulsign_unsigned.py -vv --password=%(signing_key_password)s fedora-24'
|
|
||||||
signing_key_id = '81b46521'
|
|
||||||
signing_key_password_file = '~/password_for_fedora-24_key'
|
|
||||||
|
|
||||||
|
|
||||||
.. _git-urls:
|
.. _git-urls:
|
||||||
|
|
||||||
Git URLs
|
Git URLs
|
||||||
|
|||||||
@ -1418,9 +1418,6 @@ def make_schema():
|
|||||||
{"$ref": "#/definitions/strings"}
|
{"$ref": "#/definitions/strings"}
|
||||||
),
|
),
|
||||||
"lorax_use_koji_plugin": {"type": "boolean", "default": False},
|
"lorax_use_koji_plugin": {"type": "boolean", "default": False},
|
||||||
"signing_key_id": {"type": "string"},
|
|
||||||
"signing_key_password_file": {"type": "string"},
|
|
||||||
"signing_command": {"type": "string"},
|
|
||||||
"productimg": {
|
"productimg": {
|
||||||
"deprecated": "remove it. Productimg phase has been removed"
|
"deprecated": "remove it. Productimg phase has been removed"
|
||||||
},
|
},
|
||||||
|
|||||||
@ -471,49 +471,6 @@ def run_compose(
|
|||||||
print(i)
|
print(i)
|
||||||
raise RuntimeError("Configuration is not valid")
|
raise RuntimeError("Configuration is not valid")
|
||||||
|
|
||||||
# PREP
|
|
||||||
|
|
||||||
# Note: This may be put into a new method of phase classes (e.g. .prep())
|
|
||||||
# in same way as .validate() or .run()
|
|
||||||
|
|
||||||
# Prep for liveimages - Obtain a password for signing rpm wrapped images
|
|
||||||
if (
|
|
||||||
"signing_key_password_file" in compose.conf
|
|
||||||
and "signing_command" in compose.conf
|
|
||||||
and "%(signing_key_password)s" in compose.conf["signing_command"]
|
|
||||||
):
|
|
||||||
# TODO: Don't require key if signing is turned off
|
|
||||||
# Obtain signing key password
|
|
||||||
signing_key_password = None
|
|
||||||
|
|
||||||
# Use appropriate method
|
|
||||||
if compose.conf["signing_key_password_file"] == "-":
|
|
||||||
# Use stdin (by getpass module)
|
|
||||||
try:
|
|
||||||
signing_key_password = getpass.getpass("Signing key password: ")
|
|
||||||
except EOFError:
|
|
||||||
compose.log_debug("Ignoring signing key password")
|
|
||||||
pass
|
|
||||||
else:
|
|
||||||
# Use text file with password
|
|
||||||
try:
|
|
||||||
signing_key_password = (
|
|
||||||
open(compose.conf["signing_key_password_file"], "r")
|
|
||||||
.readline()
|
|
||||||
.rstrip("\n")
|
|
||||||
)
|
|
||||||
except IOError:
|
|
||||||
# Filename is not print intentionally in case someone puts
|
|
||||||
# password directly into the option
|
|
||||||
err_msg = "Cannot load password from file specified by 'signing_key_password_file' option" # noqa: E501
|
|
||||||
compose.log_error(err_msg)
|
|
||||||
print(err_msg)
|
|
||||||
raise RuntimeError(err_msg)
|
|
||||||
|
|
||||||
if signing_key_password:
|
|
||||||
# Store the password
|
|
||||||
compose.conf["signing_key_password"] = signing_key_password
|
|
||||||
|
|
||||||
init_phase.start()
|
init_phase.start()
|
||||||
init_phase.stop()
|
init_phase.stop()
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user