pungi.spec

@@ -40,6 +40,7 @@ BuildRequires:  python3-dogpile-cache
 BuildRequires:  python3-parameterized
 BuildRequires:  python3-gobject-base
 BuildRequires:  python3-dataclasses
+BuildRequires:  python3-pgpy
 
 #deps for doc building
 BuildRequires:  python3-sphinx
@@ -65,6 +66,7 @@ Requires:       python3-createrepo_c >= 0.20.1
 Requires:       python3-PyYAML
 Requires:       python3-gobject-base
 Requires:       lorax
+Requires:       python3-pgpy
 
 # This package is not available on i686, hence we cannot require it
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1743421

pungi/phases/pkgset/pkgsets.py

@@ -22,6 +22,9 @@ It automatically finds a signed copies according to *sigkey_ordering*.
 import itertools
 import json
 import os
+
+import pgpy
+import rpm
 from six.moves import cPickle as pickle
 
 import kobo.log
@@ -493,8 +496,6 @@ class KojiPackageSet(PackageSetBase):
 
         return response
 
-
-
     def get_package_path(self, queue_item):
         rpm_info, build_info = queue_item
 
@@ -834,7 +835,7 @@ class KojiMockPackageSet(PackageSetBase):
             and include in the package set. Useful when building testing compose
             with RPM scratch builds.
         """
-        super(KojiMockPackageSet , self).__init__(
+        super(KojiMockPackageSet, self).__init__(
             name,
             sigkey_ordering=sigkey_ordering,
             arches=arches,
@@ -965,11 +966,29 @@ class KojiMockPackageSet(PackageSetBase):
 
         return response
 
+    def _is_rpm_signed(self, rpm_path) -> bool:
+        ts = rpm.TransactionSet()
+        ts.setVSFlags(rpm._RPMVSF_NOSIGNATURES)
+        sigkeys = [
+            sigkey.lower() for sigkey in self.sigkey_ordering
+            if sigkey is not None
+        ]
+        with open(rpm_path, 'rb') as fd:
+            header = ts.hdrFromFdno(fd)
+            signature = header[rpm.RPMTAG_SIGGPG] or header[rpm.RPMTAG_SIGPGP]
+            if signature is None:
+                return False
+            pgp_msg = pgpy.PGPMessage.from_blob(signature)
+            return any(
+                signature.signer.lower() in sigkeys
+                for signature in pgp_msg.signatures
+            )
+
     def get_package_path(self, queue_item):
         rpm_info, build_info = queue_item
 
-        # Check if this RPM is coming from scratch task. In this case, we already
+        # Check if this RPM is coming from scratch task.
-        # know the path.
+        # In this case, we already know the path.
         if "path_from_task" in rpm_info:
             return rpm_info["path_from_task"]
 
@@ -982,6 +1001,13 @@ class KojiMockPackageSet(PackageSetBase):
 
         rpm_path = os.path.join(pathinfo.topdir, pathinfo.rpm(rpm_info))
         if os.path.isfile(rpm_path):
+            if not self._is_rpm_signed(rpm_path):
+                self._invalid_sigkey_rpms.append(rpm_info)
+                self.log_error(
+                    'RPM "%s" not found for sigs: "%s". Path checked: "%s"',
+                    rpm_info, self.sigkey_ordering, rpm_path
+                )
+                return
             return rpm_path
         else:
             self.log_warning("RPM %s not found" % rpm_path)

tests/test_pkgset_pkgsets.py

@@ -137,6 +137,21 @@ class PkgsetCompareMixin(object):
 @mock.patch("pungi.phases.pkgset.pkgsets.ReaderPool", new=FakePool)
 @mock.patch("kobo.pkgset.FileCache", new=MockFileCache)
 class TestKojiPkgset(PkgsetCompareMixin, helpers.PungiTestCase):
+
+    @classmethod
+    def setUpClass(cls) -> None:
+
+        cls.patcher = mock.patch.object(
+            pkgsets.KojiMockPackageSet,
+            '_is_rpm_signed',
+            return_value=True,
+        )
+        cls.patcher.start()
+
+    @classmethod
+    def tearDownClass(cls) -> None:
+        cls.patcher.stop()
+
     def setUp(self):
         super(TestKojiPkgset, self).setUp()
         with open(os.path.join(helpers.FIXTURE_DIR, "tagged-rpms.json")) as f: