add key signing

defaults/main.yml

@@ -95,7 +95,8 @@ koji_fas_url: https://accounts.rockylinux.org
 
 # Koji Plugins
 koji_hub_plugins: false
-koji_hub_plugins_list: []
+koji_hub_plugins_list:
+  - key_signing
 
 # Not implemented
 koji_hub_plugin_mqtt_host: mqtt.rockylinux.org

files/usr/lib/koji-hub-plugins/key_signing.py

@@ -0,0 +1,82 @@
+# Louis Abel <label@rockylinux.org>
+# This is a koji plugin to assist in auto signing packages in sigul
+# This is going through constant change until it "works"
+#
+# Based on another plugin, updated and refinements where needed:
+#   -> Config file introduced
+#   -> Some linting
+
+import sys
+import logging
+import subprocess
+
+import koji
+from koji.plugin import register_callback, ignore_error
+if '/usr/share/koji-hub' not in sys.path:
+    sys.path.append("/usr/share/koji-hub")
+import kojihub
+from kojihub import RootExports
+
+# CONVERT TO CONFIG FILE
+CONFIG_FILE = '/etc/koji-hub/plugins/key_signing.conf'
+CONFIG = None
+if not CONFIG:
+    CONFIG = koji.read_config_files([(CONFIG_FILE, True)])
+
+passphrase = CONFIG.get('signing', 'passphrase')
+gpg_key_name = CONFIG.get('signing', 'gpg_key_name')
+gpg_key_id = CONFIG.get('signing', 'gpg_key_id')
+build_target = CONFIG.get('signing', 'build_target').split()
+testing_tag = CONFIG.get('signing', 'testing_tag')
+send_to_testing = CONFIG.get('signing', 'testing')
+
+def key_signing(cbtype, *args, **kws):
+    # Make sure this is a package build and nothing else
+    if kws['tag']['name'] not in build_target:
+        return
+
+    # The build has to succeed
+    if kws['build']['state'] != 1:
+        logging.getLogger('koji.plugin.key_signing').error('build state is not finished')
+        return
+
+    logging.getLogger('koji.plugin.key_signing').info('buildinfo: %s',str(kws))
+
+    # Find all the RPMs that are part of this build
+    kojifunctions = RootExports()
+    build_rpms = kojifunctions.listBuildRPMs(kws['build']['id'])
+    logging.getLogger('koji.plugin.key_signing').info('rpminfo: %s',str(build_rpms))
+
+    # Sign and write the RPMs
+    for rpm_info in build_rpms:
+        rpm_name = "%s.%s" % (rpm_info['nvr'],rpm_info['arch'])
+        key_signing_rpm(rpm_name)
+        kojifunctions.writeSignedRPM(rpm_name,gpg_key_id)
+
+    # If configured, tag for a testing repo
+    if send_to_testing:
+        kojifunctions.tagBuild(testing_tag,kws['build']['id'])
+        logging.getLogger('koji.plugin.key_signing').info('the package %s has been tagged to %s'%(kws['build']['name'],testing_tag))
+
+def run_sigul(command):
+    child = subprocess.Popen(command, stdin=subprocess.PIPE,
+                             stdout=subprocess.PIPE,
+                             stderr=subprocess.PIPE,shell=True)
+    child.stdin.write(passphrase + '\0')
+    ret = child.wait()
+    logging.getLogger('koji.plugin.key_signing').info('sigul returned with code: %s',ret)
+    if ret != 0:
+        logging.getLogger('koji.plugin.key_signing').error('sigul command failed: %s returned: %s',command,child.communicate())
+        sys.exit(1)
+
+def key_signing_rpm(rpm_name):
+    # Check to make sure the key works
+    command = "sigul --batch get-public-key %s" % gpg_key_name
+    run_sigul(command)
+
+    # Run the actual sign command
+    command = "sigul --batch sign-rpm --koji-only --store-in-koji --v3-signature %s %s" % (gpg_key_name, rpm_name)
+    logging.getLogger('koji.plugin.key_signing').info('running sigul command: %s',command)
+    run_sigul(command)
+
+register_callback('postTag',key_signing)

templates/etc/koji-hub/plugins/key_signing.conf.j2

@@ -0,0 +1,6 @@
+[signing]
+passphrase = lol
+gpg_key_name = 'testing-signing'
+gpg_key_id = 'bbe2c108'
+build_target = ['dist-rocky8']
+testing_tag = 'dist-rocky8-testing'