From 590240c0a15d61d2fc475070b16251bc103cc8d5 Mon Sep 17 00:00:00 2001 From: soksanichenko Date: Mon, 7 Nov 2022 22:15:16 +0200 Subject: [PATCH 1/6] ALBS-732: pungi: do not build anything if unsigned packages found --- pungi/phases/pkgset/pkgsets.py | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/pungi/phases/pkgset/pkgsets.py b/pungi/phases/pkgset/pkgsets.py index 56e96aa5..038c6c61 100644 --- a/pungi/phases/pkgset/pkgsets.py +++ b/pungi/phases/pkgset/pkgsets.py @@ -22,6 +22,9 @@ It automatically finds a signed copies according to *sigkey_ordering*. import itertools import json import os + +import pgpy +import rpm from six.moves import cPickle as pickle import kobo.log @@ -493,8 +496,6 @@ class KojiPackageSet(PackageSetBase): return response - - def get_package_path(self, queue_item): rpm_info, build_info = queue_item @@ -834,7 +835,7 @@ class KojiMockPackageSet(PackageSetBase): and include in the package set. Useful when building testing compose with RPM scratch builds. """ - super(KojiMockPackageSet , self).__init__( + super(KojiMockPackageSet, self).__init__( name, sigkey_ordering=sigkey_ordering, arches=arches, @@ -849,6 +850,8 @@ class KojiMockPackageSet(PackageSetBase): self.extra_builds = extra_builds or [] self.extra_tasks = extra_tasks or [] self.reuse = None + self.sigkey_ordering = [sigkey.lower() for sigkey in sigkey_ordering] \ + or [None] def __getstate__(self): result = self.__dict__.copy() @@ -965,6 +968,20 @@ class KojiMockPackageSet(PackageSetBase): return response + def _is_rpm_signed(self, rpm_path) -> bool: + ts = rpm.TransactionSet() + ts.setVSFlags(rpm._RPMVSF_NOSIGNATURES) + with open(rpm_path, 'rb') as fd: + header = ts.hdrFromFdno(fd) + signature = header[rpm.RPMTAG_SIGGPG] or header[rpm.RPMTAG_SIGPGP] + if not signature: + return False + pgp_msg = pgpy.PGPMessage.from_blob(signature) + return any( + signature.signer.lower() in self.sigkey_ordering + for signature in pgp_msg.signatures + ) + def get_package_path(self, queue_item): rpm_info, build_info = queue_item @@ -982,6 +999,13 @@ class KojiMockPackageSet(PackageSetBase): rpm_path = os.path.join(pathinfo.topdir, pathinfo.rpm(rpm_info)) if os.path.isfile(rpm_path): + if not self._is_rpm_signed(rpm_path): + self._invalid_sigkey_rpms.append(rpm_info) + self.log_error( + 'RPM "%s" not found for sigs: "%s". Path checked: "%s"', + rpm_info, self.sigkey_ordering, rpm_path + ) + return return rpm_path else: self.log_warning("RPM %s not found" % rpm_path) -- 2.40.1 From fa3e4649bc77d866efd6c1c18068ba4889f6b5c9 Mon Sep 17 00:00:00 2001 From: soksanichenko Date: Mon, 7 Nov 2022 22:33:35 +0200 Subject: [PATCH 2/6] ALBS-732: pungi: do not build anything if unsigned packages found - Some tiny changes (pep8 & stronger condition) --- pungi/phases/pkgset/pkgsets.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pungi/phases/pkgset/pkgsets.py b/pungi/phases/pkgset/pkgsets.py index 038c6c61..ecb5b5ab 100644 --- a/pungi/phases/pkgset/pkgsets.py +++ b/pungi/phases/pkgset/pkgsets.py @@ -974,7 +974,7 @@ class KojiMockPackageSet(PackageSetBase): with open(rpm_path, 'rb') as fd: header = ts.hdrFromFdno(fd) signature = header[rpm.RPMTAG_SIGGPG] or header[rpm.RPMTAG_SIGPGP] - if not signature: + if signature is None: return False pgp_msg = pgpy.PGPMessage.from_blob(signature) return any( @@ -985,8 +985,8 @@ class KojiMockPackageSet(PackageSetBase): def get_package_path(self, queue_item): rpm_info, build_info = queue_item - # Check if this RPM is coming from scratch task. In this case, we already - # know the path. + # Check if this RPM is coming from scratch task. + # In this case, we already know the path. if "path_from_task" in rpm_info: return rpm_info["path_from_task"] -- 2.40.1 From c59974d302068e977f785e685c9246a304e80522 Mon Sep 17 00:00:00 2001 From: soksanichenko Date: Mon, 7 Nov 2022 23:03:25 +0200 Subject: [PATCH 3/6] ALBS-732: pungi: do not build anything if unsigned packages found - Rpm package `python3-pgpy` is added as dependency --- pungi.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/pungi.spec b/pungi.spec index a26a4a75..3f6d3e40 100644 --- a/pungi.spec +++ b/pungi.spec @@ -65,6 +65,7 @@ Requires: python3-createrepo_c >= 0.20.1 Requires: python3-PyYAML Requires: python3-gobject-base Requires: lorax +Requires: python3-pgpy # This package is not available on i686, hence we cannot require it # See https://bugzilla.redhat.com/show_bug.cgi?id=1743421 -- 2.40.1 From 3e09285eb9585919da5dd56064482b2141583769 Mon Sep 17 00:00:00 2001 From: soksanichenko Date: Mon, 7 Nov 2022 23:14:31 +0200 Subject: [PATCH 4/6] ALBS-732: pungi: do not build anything if unsigned packages found - Rpm package `python3-pgpy` is added as build dependency --- pungi.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/pungi.spec b/pungi.spec index 3f6d3e40..33c12278 100644 --- a/pungi.spec +++ b/pungi.spec @@ -40,6 +40,7 @@ BuildRequires: python3-dogpile-cache BuildRequires: python3-parameterized BuildRequires: python3-gobject-base BuildRequires: python3-dataclasses +BuildRequires: python3-pgpy #deps for doc building BuildRequires: python3-sphinx -- 2.40.1 From a6174f0909759da515d1ff9e0bc024bba73fa205 Mon Sep 17 00:00:00 2001 From: soksanichenko Date: Mon, 7 Nov 2022 23:51:13 +0200 Subject: [PATCH 5/6] ALBS-732: pungi: do not build anything if unsigned packages found - Fix unittests --- pungi/phases/pkgset/pkgsets.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pungi/phases/pkgset/pkgsets.py b/pungi/phases/pkgset/pkgsets.py index ecb5b5ab..c0c4a192 100644 --- a/pungi/phases/pkgset/pkgsets.py +++ b/pungi/phases/pkgset/pkgsets.py @@ -850,8 +850,6 @@ class KojiMockPackageSet(PackageSetBase): self.extra_builds = extra_builds or [] self.extra_tasks = extra_tasks or [] self.reuse = None - self.sigkey_ordering = [sigkey.lower() for sigkey in sigkey_ordering] \ - or [None] def __getstate__(self): result = self.__dict__.copy() @@ -971,6 +969,10 @@ class KojiMockPackageSet(PackageSetBase): def _is_rpm_signed(self, rpm_path) -> bool: ts = rpm.TransactionSet() ts.setVSFlags(rpm._RPMVSF_NOSIGNATURES) + sigkeys = [ + sigkey.lower() for sigkey in self.sigkey_ordering + if sigkey is not None + ] with open(rpm_path, 'rb') as fd: header = ts.hdrFromFdno(fd) signature = header[rpm.RPMTAG_SIGGPG] or header[rpm.RPMTAG_SIGPGP] @@ -978,7 +980,7 @@ class KojiMockPackageSet(PackageSetBase): return False pgp_msg = pgpy.PGPMessage.from_blob(signature) return any( - signature.signer.lower() in self.sigkey_ordering + signature.signer.lower() in sigkeys for signature in pgp_msg.signatures ) -- 2.40.1 From 0485a8eee56ec01d6690fdb5fa1d2216e1acbd69 Mon Sep 17 00:00:00 2001 From: soksanichenko Date: Tue, 8 Nov 2022 00:36:44 +0200 Subject: [PATCH 6/6] - Fix unittests --- tests/test_pkgset_pkgsets.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/test_pkgset_pkgsets.py b/tests/test_pkgset_pkgsets.py index cc59f5bf..94d566a2 100644 --- a/tests/test_pkgset_pkgsets.py +++ b/tests/test_pkgset_pkgsets.py @@ -137,6 +137,21 @@ class PkgsetCompareMixin(object): @mock.patch("pungi.phases.pkgset.pkgsets.ReaderPool", new=FakePool) @mock.patch("kobo.pkgset.FileCache", new=MockFileCache) class TestKojiPkgset(PkgsetCompareMixin, helpers.PungiTestCase): + + @classmethod + def setUpClass(cls) -> None: + + cls.patcher = mock.patch.object( + pkgsets.KojiMockPackageSet, + '_is_rpm_signed', + return_value=True, + ) + cls.patcher.start() + + @classmethod + def tearDownClass(cls) -> None: + cls.patcher.stop() + def setUp(self): super(TestKojiPkgset, self).setUp() with open(os.path.join(helpers.FIXTURE_DIR, "tagged-rpms.json")) as f: -- 2.40.1