-of
Paul B Schroeder<paulbsch(a)vbridges.com> schrieb:
> As a follow up to the recent thread on singing RPMs in koji...and the many times this
question pops
> up on the list. I've written some code that uses the koji plugin framework for
signing packages.
> I'm betting this may be useful to many folks that don't want/need sigul. It
might also be useful
> to get this into the koji-hub-plugins package?
>
> At any rate, here is the code and an example config file.. sign.py goes into your
PluginPath.
> The config file needs to be readable by the apache user and should probably be
chmoded 600. Also,
> make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to
install pexpect too.
>
>
> sign.py:
> # Koji callback for GPG signing RPMs before import
> #
> # Author:
> # Paul B Schroeder<paulbsch "at" vbridges "dot" com>
>
>from koji.plugin import register_callback
> import logging
>
> config_file = '/usr/lib/koji-hub-plugins/sign.conf'
>
> def sign(cbtype, *args, **kws):
> if kws['type'] != 'build':
> return
>
> # Get the tag name from the buildroot map
> import sys
> sys.path.insert(0, '/usr/share/koji-hub')
> from kojihub import get_buildroot
> br_id = kws['brmap'].values()[0]
> br = get_buildroot(br_id)
> tag_name = br['tag_name']
>
> # Get GPG info using the config for the tag name
> from ConfigParser import ConfigParser
> config = ConfigParser()
> config.read(config_file)
> rpm = config.get(tag_name, 'rpm')
> gpgbin = config.get(tag_name, 'gpgbin')
> gpg_path = config.get(tag_name, 'gpg_path')
> gpg_name = config.get(tag_name, 'gpg_name')
> gpg_pass = config.get(tag_name, 'gpg_pass')
>
> # Get the package paths set up
> from koji import pathinfo
> uploadpath = pathinfo.work()
> rpms = ''
> for relpath in [kws['srpm']] + kws['rpms']:
> rpms += '%s/%s ' % (uploadpath, relpath)
>
> # Get the packages signed
> import pexpect
> logging.getLogger('koji.plugin.sign').info('Attempting to sign
packages'
> ' (%s) with key "%s"' % (rpms, gpg_name))
> rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
> rpm_cmd += " --define '_gpgbin %s'" % gpgbin
> rpm_cmd += " --define '_gpg_path %s'" % gpg_path
> rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
> pex = pexpect.spawn(rpm_cmd, timeout=1000)
> pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
> pex.sendline(gpg_pass)
> i = pex.expect(['good', 'failed', 'skipping',
pexpect.TIMEOUT])
> if i == 0:
> logging.getLogger('koji.plugin.sign').info('Package sign
successful!')
> elif i == 1:
> logging.getLogger('koji.plugin.sign').error('Pass phrase check
failed!')
> elif i == 2:
> logging.getLogger('koji.plugin.sign').error('Package sign
skipped!')
> elif i == 3:
> logging.getLogger('koji.plugin.sign').error('Package sign timed
out!')
> else:
> logging.getLogger('koji.plugin.sign').error('Unexpected sign
result!')
> if i != 0:
> raise Exception, 'Package sign failed!'
> pex.expect(pexpect.EOF)
>
> register_callback('preImport', sign)
>
>
> sign.conf:
> [DEFAULT]
> rpm = /bin/rpm
> gpgbin = /usr/bin/gpg
> gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg
> gpg_name = My Company, Inc.<support(a)mycompany.com>
> gpg_pass = my_passphrase
>
> # Defaults can be overridden on a per-tag basis
> [dist-foo-build]
> gpg_name = My Other Company, Inc.<support(a)myothercompany.com>
> gpg_pass = my_other_passphrase
>
>
>
>
> Cheers...Paul...
>
>
> --
> ---
> Paul B Schroeder
> <paulbsch "at" vbridges "dot" com>
> --
> buildsys mailing list
> buildsys(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/buildsys