The gpg key must only be available on the hub host, right!? -of
Paul B Schroeder <[email protected]> schrieb: >As a follow up to the recent thread on singing RPMs in koji...and the many >times this question pops >up on the list. I've written some code that uses the koji plugin framework >for signing packages. >I'm betting this may be useful to many folks that don't want/need sigul. It >might also be useful >to get this into the koji-hub-plugins package? > >At any rate, here is the code and an example config file.. sign.py goes into >your PluginPath. >The config file needs to be readable by the apache user and should probably be >chmoded 600. Also, >make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to >install pexpect too. > > >sign.py: ># Koji callback for GPG signing RPMs before import ># ># Author: ># Paul B Schroeder <paulbsch "at" vbridges "dot" com> > >from koji.plugin import register_callback >import logging > >config_file = '/usr/lib/koji-hub-plugins/sign.conf' > >def sign(cbtype, *args, **kws): > if kws['type'] != 'build': > return > > # Get the tag name from the buildroot map > import sys > sys.path.insert(0, '/usr/share/koji-hub') > from kojihub import get_buildroot > br_id = kws['brmap'].values()[0] > br = get_buildroot(br_id) > tag_name = br['tag_name'] > > # Get GPG info using the config for the tag name > from ConfigParser import ConfigParser > config = ConfigParser() > config.read(config_file) > rpm = config.get(tag_name, 'rpm') > gpgbin = config.get(tag_name, 'gpgbin') > gpg_path = config.get(tag_name, 'gpg_path') > gpg_name = config.get(tag_name, 'gpg_name') > gpg_pass = config.get(tag_name, 'gpg_pass') > > # Get the package paths set up > from koji import pathinfo > uploadpath = pathinfo.work() > rpms = '' > for relpath in [kws['srpm']] + kws['rpms']: > rpms += '%s/%s ' % (uploadpath, relpath) > > # Get the packages signed > import pexpect > logging.getLogger('koji.plugin.sign').info('Attempting to sign packages' > ' (%s) with key "%s"' % (rpms, gpg_name)) > rpm_cmd = "%s --resign --define '_signature gpg'" % rpm > rpm_cmd += " --define '_gpgbin %s'" % gpgbin > rpm_cmd += " --define '_gpg_path %s'" % gpg_path > rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms) > pex = pexpect.spawn(rpm_cmd, timeout=1000) > pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000) > pex.sendline(gpg_pass) > i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT]) > if i == 0: > logging.getLogger('koji.plugin.sign').info('Package sign successful!') > elif i == 1: > logging.getLogger('koji.plugin.sign').error('Pass phrase check > failed!') > elif i == 2: > logging.getLogger('koji.plugin.sign').error('Package sign skipped!') > elif i == 3: > logging.getLogger('koji.plugin.sign').error('Package sign timed out!') > else: > logging.getLogger('koji.plugin.sign').error('Unexpected sign result!') > if i != 0: > raise Exception, 'Package sign failed!' > pex.expect(pexpect.EOF) > >register_callback('preImport', sign) > > >sign.conf: >[DEFAULT] >rpm = /bin/rpm >gpgbin = /usr/bin/gpg >gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg >gpg_name = My Company, Inc. <[email protected]> >gpg_pass = my_passphrase > ># Defaults can be overridden on a per-tag basis >[dist-foo-build] >gpg_name = My Other Company, Inc. <[email protected]> >gpg_pass = my_other_passphrase > > > > >Cheers...Paul... > > >-- >--- >Paul B Schroeder ><paulbsch "at" vbridges "dot" com> >-- >buildsys mailing list >[email protected] >https://admin.fedoraproject.org/mailman/listinfo/buildsys -- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
