koji sign plugin
Paul B Schroeder
paulbsch at vbridges.com
Fri Dec 17 07:19:49 UTC 2010
As a follow up to the recent thread on singing RPMs in koji...and the many times this question pops
up on the list. I've written some code that uses the koji plugin framework for signing packages.
I'm betting this may be useful to many folks that don't want/need sigul. It might also be useful
to get this into the koji-hub-plugins package?
At any rate, here is the code and an example config file.. sign.py goes into your PluginPath.
The config file needs to be readable by the apache user and should probably be chmoded 600. Also,
make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to install pexpect too.
sign.py:
# Koji callback for GPG signing RPMs before import
#
# Author:
# Paul B Schroeder <paulbsch "at" vbridges "dot" com>
from koji.plugin import register_callback
import logging
config_file = '/usr/lib/koji-hub-plugins/sign.conf'
def sign(cbtype, *args, **kws):
if kws['type'] != 'build':
return
# Get the tag name from the buildroot map
import sys
sys.path.insert(0, '/usr/share/koji-hub')
from kojihub import get_buildroot
br_id = kws['brmap'].values()[0]
br = get_buildroot(br_id)
tag_name = br['tag_name']
# Get GPG info using the config for the tag name
from ConfigParser import ConfigParser
config = ConfigParser()
config.read(config_file)
rpm = config.get(tag_name, 'rpm')
gpgbin = config.get(tag_name, 'gpgbin')
gpg_path = config.get(tag_name, 'gpg_path')
gpg_name = config.get(tag_name, 'gpg_name')
gpg_pass = config.get(tag_name, 'gpg_pass')
# Get the package paths set up
from koji import pathinfo
uploadpath = pathinfo.work()
rpms = ''
for relpath in [kws['srpm']] + kws['rpms']:
rpms += '%s/%s ' % (uploadpath, relpath)
# Get the packages signed
import pexpect
logging.getLogger('koji.plugin.sign').info('Attempting to sign packages'
' (%s) with key "%s"' % (rpms, gpg_name))
rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
rpm_cmd += " --define '_gpgbin %s'" % gpgbin
rpm_cmd += " --define '_gpg_path %s'" % gpg_path
rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
pex = pexpect.spawn(rpm_cmd, timeout=1000)
pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
pex.sendline(gpg_pass)
i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
if i == 0:
logging.getLogger('koji.plugin.sign').info('Package sign successful!')
elif i == 1:
logging.getLogger('koji.plugin.sign').error('Pass phrase check failed!')
elif i == 2:
logging.getLogger('koji.plugin.sign').error('Package sign skipped!')
elif i == 3:
logging.getLogger('koji.plugin.sign').error('Package sign timed out!')
else:
logging.getLogger('koji.plugin.sign').error('Unexpected sign result!')
if i != 0:
raise Exception, 'Package sign failed!'
pex.expect(pexpect.EOF)
register_callback('preImport', sign)
sign.conf:
[DEFAULT]
rpm = /bin/rpm
gpgbin = /usr/bin/gpg
gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg
gpg_name = My Company, Inc. <support at mycompany.com>
gpg_pass = my_passphrase
# Defaults can be overridden on a per-tag basis
[dist-foo-build]
gpg_name = My Other Company, Inc. <support at myothercompany.com>
gpg_pass = my_other_passphrase
Cheers...Paul...
--
---
Paul B Schroeder
<paulbsch "at" vbridges "dot" com>
More information about the buildsys
mailing list