From d1882b9e89467e8e493e565af14614d73277d5c3 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Mon, 31 Mar 2025 17:10:54 -0700
Subject: [PATCH] Add a post-install 'are all packages signed' check (#369)

This came up in blocker bug meeting discussion today. We really
should check that all packages are signed after a default install.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 templates.fif.json             | 29 ++++++++++++++++++++++++++++-
 tests/check_packages_signed.pm | 23 +++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 tests/check_packages_signed.pm

diff --git a/templates.fif.json b/templates.fif.json
index 725881c9..efd04b08 100644
--- a/templates.fif.json
+++ b/templates.fif.json
@@ -898,6 +898,33 @@
                 "USER_LOGIN": "false"
             }
         },
+        "check_packages_signed": {
+            "profiles": {
+                "fedora-BaseOS-dvd-iso-x86_64-*-64bit": 50,
+                "fedora-CoreOS-colive-iso-x86_64-*-64bit": 20,
+                "fedora-IoT-dvd_ostree-iso-aarch64-*-aarch64": 20,
+                "fedora-IoT-dvd_ostree-iso-x86_64-*-64bit": 20,
+                "fedora-KDE-live-iso-x86_64-*-64bit": 15,
+                "fedora-Minimal-raw_xz-raw.xz-aarch64-*-aarch64": 12,
+                "fedora-Server-dvd-iso-aarch64-*-aarch64": 10,
+                "fedora-Server-dvd-iso-ppc64le-*-ppc64le": 10,
+                "fedora-Server-dvd-iso-x86_64-*-64bit": 10,
+                "fedora-Server-raw_xz-raw.xz-aarch64-*-aarch64": 12,
+                "fedora-Silverblue-dvd_ostree-iso-ppc64le-*-ppc64le": 50,
+                "fedora-Silverblue-dvd_ostree-iso-x86_64-*-64bit": 50,
+                "fedora-Workstation-live-iso-ppc64le-*-ppc64le": 10,
+                "fedora-Workstation-live-iso-x86_64-*-64bit": 10,
+                "fedora-Workstation-live_osbuild-iso-x86_64-*-64bit": 60,
+                "fedora-Workstation-raw_xz-raw.xz-aarch64-*-aarch64": 12,
+                "fedora-i3-live-x86_64-*-64bit": 70
+            },
+            "settings": {
+                "BOOTFROM": "c",
+                "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
+                "POSTINSTALL": "check_packages_signed",
+                "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%"
+            }
+        },
         "cloud_autocloud": {
             "profiles": {
                 "fedora-Cloud_Base-qcow2-qcow2-aarch64-*-aarch64": 30,
@@ -1733,7 +1760,7 @@
             },
             "settings": {
                 "PACKAGE_SET": "default",
-                "POSTINSTALL": "_collect_data",
+                "POSTINSTALL": "check_packages_signed _collect_data",
                 "RETRY": "%INSTALL_RETRY%"
             }
         },
diff --git a/tests/check_packages_signed.pm b/tests/check_packages_signed.pm
new file mode 100644
index 00000000..d4747dd0
--- /dev/null
+++ b/tests/check_packages_signed.pm
@@ -0,0 +1,23 @@
+use base "installedtest";
+use strict;
+use testapi;
+use utils;
+
+sub run {
+    my $self = shift;
+    if (not(check_screen "root_console", 0)) {
+        $self->root_console(tty => 4);
+    }
+    assert_screen "root_console";
+    # for aarch64 non-english tests
+    console_loadkeys_us;
+    die("Unsigned package(s) found!") unless (script_run 'rpm -qa --queryformat "%{NAME} %{RSAHEADER:pgpsig}\n" | grep -v gpg-pubkey | grep "(none)"');
+}
+
+sub test_flags {
+    return {fatal => 1};
+}
+
+1;
+
+# vim: set sw=4 et: