As a follow up to the recent thread on singing RPMs in koji...and the many
times this question pops
up on the list. I've written some code that uses the koji plugin framework for
signing packages.
I'm betting this may be useful to many folks that don't want/need sigul. It
might also be useful
to get this into the koji-hub-plugins package?
At any rate, here is the code and an example config file.. sign.py goes into
your PluginPath.
The config file needs to be readable by the apache user and should probably be
chmoded 600. Also,
make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to
install pexpect too.
sign.py:
# Koji callback for GPG signing RPMs before import
#
# Author:
# Paul B Schroeder <paulbsch "at" vbridges "dot" com>
from koji.plugin import register_callback
import logging
config_file = '/usr/lib/koji-hub-plugins/sign.conf'
def sign(cbtype, *args, **kws):
if kws['type'] != 'build':
return
# Get the tag name from the buildroot map
import sys
sys.path.insert(0, '/usr/share/koji-hub')
from kojihub import get_buildroot
br_id = kws['brmap'].values()[0]
br = get_buildroot(br_id)
tag_name = br['tag_name']
# Get GPG info using the config for the tag name
from ConfigParser import ConfigParser
config = ConfigParser()
config.read(config_file)
rpm = config.get(tag_name, 'rpm')
gpgbin = config.get(tag_name, 'gpgbin')
gpg_path = config.get(tag_name, 'gpg_path')
gpg_name = config.get(tag_name, 'gpg_name')
gpg_pass = config.get(tag_name, 'gpg_pass')
# Get the package paths set up
from koji import pathinfo
uploadpath = pathinfo.work()
rpms = ''
for relpath in [kws['srpm']] + kws['rpms']:
rpms += '%s/%s ' % (uploadpath, relpath)
# Get the packages signed
import pexpect
logging.getLogger('koji.plugin.sign').info('Attempting to sign packages'
' (%s) with key "%s"' % (rpms, gpg_name))
rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
rpm_cmd += " --define '_gpgbin %s'" % gpgbin
rpm_cmd += " --define '_gpg_path %s'" % gpg_path
rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
pex = pexpect.spawn(rpm_cmd, timeout=1000)
pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
pex.sendline(gpg_pass)
i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
if i == 0:
logging.getLogger('koji.plugin.sign').info('Package sign successful!')
elif i == 1:
logging.getLogger('koji.plugin.sign').error('Pass phrase check failed!')
elif i == 2:
logging.getLogger('koji.plugin.sign').error('Package sign skipped!')
elif i == 3:
logging.getLogger('koji.plugin.sign').error('Package sign timed out!')
else:
logging.getLogger('koji.plugin.sign').error('Unexpected sign result!')
if i != 0:
raise Exception, 'Package sign failed!'
pex.expect(pexpect.EOF)
register_callback('preImport', sign)
sign.conf:
[DEFAULT]
rpm = /bin/rpm
gpgbin = /usr/bin/gpg
gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg
gpg_name = My Company, Inc. <[email protected]>
gpg_pass = my_passphrase
# Defaults can be overridden on a per-tag basis
[dist-foo-build]
gpg_name = My Other Company, Inc. <[email protected]>
gpg_pass = my_other_passphrase
Cheers...Paul...
--
---
Paul B Schroeder
<paulbsch "at" vbridges "dot" com>
--
buildsys mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/buildsys
