koji sign plugin
Oliver Falk
oliver at linux-kernel.at
Fri Dec 17 07:56:25 UTC 2010
The gpg key must only be available on the hub host, right!?
-of
Paul B Schroeder <paulbsch at vbridges.com> schrieb:
>As a follow up to the recent thread on singing RPMs in koji...and the many times this question pops
>up on the list. I've written some code that uses the koji plugin framework for signing packages.
>I'm betting this may be useful to many folks that don't want/need sigul. It might also be useful
>to get this into the koji-hub-plugins package?
>
>At any rate, here is the code and an example config file.. sign.py goes into your PluginPath.
>The config file needs to be readable by the apache user and should probably be chmoded 600. Also,
>make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to install pexpect too.
>
>
>sign.py:
># Koji callback for GPG signing RPMs before import
>#
># Author:
># Paul B Schroeder <paulbsch "at" vbridges "dot" com>
>
>from koji.plugin import register_callback
>import logging
>
>config_file = '/usr/lib/koji-hub-plugins/sign.conf'
>
>def sign(cbtype, *args, **kws):
> if kws['type'] != 'build':
> return
>
> # Get the tag name from the buildroot map
> import sys
> sys.path.insert(0, '/usr/share/koji-hub')
> from kojihub import get_buildroot
> br_id = kws['brmap'].values()[0]
> br = get_buildroot(br_id)
> tag_name = br['tag_name']
>
> # Get GPG info using the config for the tag name
> from ConfigParser import ConfigParser
> config = ConfigParser()
> config.read(config_file)
> rpm = config.get(tag_name, 'rpm')
> gpgbin = config.get(tag_name, 'gpgbin')
> gpg_path = config.get(tag_name, 'gpg_path')
> gpg_name = config.get(tag_name, 'gpg_name')
> gpg_pass = config.get(tag_name, 'gpg_pass')
>
> # Get the package paths set up
> from koji import pathinfo
> uploadpath = pathinfo.work()
> rpms = ''
> for relpath in [kws['srpm']] + kws['rpms']:
> rpms += '%s/%s ' % (uploadpath, relpath)
>
> # Get the packages signed
> import pexpect
> logging.getLogger('koji.plugin.sign').info('Attempting to sign packages'
> ' (%s) with key "%s"' % (rpms, gpg_name))
> rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
> rpm_cmd += " --define '_gpgbin %s'" % gpgbin
> rpm_cmd += " --define '_gpg_path %s'" % gpg_path
> rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
> pex = pexpect.spawn(rpm_cmd, timeout=1000)
> pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
> pex.sendline(gpg_pass)
> i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
> if i == 0:
> logging.getLogger('koji.plugin.sign').info('Package sign successful!')
> elif i == 1:
> logging.getLogger('koji.plugin.sign').error('Pass phrase check failed!')
> elif i == 2:
> logging.getLogger('koji.plugin.sign').error('Package sign skipped!')
> elif i == 3:
> logging.getLogger('koji.plugin.sign').error('Package sign timed out!')
> else:
> logging.getLogger('koji.plugin.sign').error('Unexpected sign result!')
> if i != 0:
> raise Exception, 'Package sign failed!'
> pex.expect(pexpect.EOF)
>
>register_callback('preImport', sign)
>
>
>sign.conf:
>[DEFAULT]
>rpm = /bin/rpm
>gpgbin = /usr/bin/gpg
>gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg
>gpg_name = My Company, Inc. <support at mycompany.com>
>gpg_pass = my_passphrase
>
># Defaults can be overridden on a per-tag basis
>[dist-foo-build]
>gpg_name = My Other Company, Inc. <support at myothercompany.com>
>gpg_pass = my_other_passphrase
>
>
>
>
>Cheers...Paul...
>
>
>--
>---
>Paul B Schroeder
><paulbsch "at" vbridges "dot" com>
>--
>buildsys mailing list
>buildsys at lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/buildsys
More information about the buildsys
mailing list