mirror of
https://github.com/rocky-linux/ansible-role-kojihub.git
synced 2024-11-25 06:11:23 +00:00
add key signing
This commit is contained in:
parent
620da58dba
commit
e83200dc47
@ -95,7 +95,8 @@ koji_fas_url: https://accounts.rockylinux.org
|
|||||||
|
|
||||||
# Koji Plugins
|
# Koji Plugins
|
||||||
koji_hub_plugins: false
|
koji_hub_plugins: false
|
||||||
koji_hub_plugins_list: []
|
koji_hub_plugins_list:
|
||||||
|
- key_signing
|
||||||
|
|
||||||
# Not implemented
|
# Not implemented
|
||||||
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
|
koji_hub_plugin_mqtt_host: mqtt.rockylinux.org
|
||||||
|
82
files/usr/lib/koji-hub-plugins/key_signing.py
Normal file
82
files/usr/lib/koji-hub-plugins/key_signing.py
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
# Louis Abel <label@rockylinux.org>
|
||||||
|
# This is a koji plugin to assist in auto signing packages in sigul
|
||||||
|
# This is going through constant change until it "works"
|
||||||
|
#
|
||||||
|
# Based on another plugin, updated and refinements where needed:
|
||||||
|
# -> Config file introduced
|
||||||
|
# -> Some linting
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import logging
|
||||||
|
import subprocess
|
||||||
|
|
||||||
|
import koji
|
||||||
|
from koji.plugin import register_callback, ignore_error
|
||||||
|
if '/usr/share/koji-hub' not in sys.path:
|
||||||
|
sys.path.append("/usr/share/koji-hub")
|
||||||
|
import kojihub
|
||||||
|
from kojihub import RootExports
|
||||||
|
|
||||||
|
# CONVERT TO CONFIG FILE
|
||||||
|
CONFIG_FILE = '/etc/koji-hub/plugins/key_signing.conf'
|
||||||
|
CONFIG = None
|
||||||
|
if not CONFIG:
|
||||||
|
CONFIG = koji.read_config_files([(CONFIG_FILE, True)])
|
||||||
|
|
||||||
|
passphrase = CONFIG.get('signing', 'passphrase')
|
||||||
|
gpg_key_name = CONFIG.get('signing', 'gpg_key_name')
|
||||||
|
gpg_key_id = CONFIG.get('signing', 'gpg_key_id')
|
||||||
|
build_target = CONFIG.get('signing', 'build_target').split()
|
||||||
|
testing_tag = CONFIG.get('signing', 'testing_tag')
|
||||||
|
send_to_testing = CONFIG.get('signing', 'testing')
|
||||||
|
|
||||||
|
def key_signing(cbtype, *args, **kws):
|
||||||
|
# Make sure this is a package build and nothing else
|
||||||
|
if kws['tag']['name'] not in build_target:
|
||||||
|
return
|
||||||
|
|
||||||
|
# The build has to succeed
|
||||||
|
if kws['build']['state'] != 1:
|
||||||
|
logging.getLogger('koji.plugin.key_signing').error('build state is not finished')
|
||||||
|
return
|
||||||
|
|
||||||
|
logging.getLogger('koji.plugin.key_signing').info('buildinfo: %s',str(kws))
|
||||||
|
|
||||||
|
# Find all the RPMs that are part of this build
|
||||||
|
kojifunctions = RootExports()
|
||||||
|
build_rpms = kojifunctions.listBuildRPMs(kws['build']['id'])
|
||||||
|
logging.getLogger('koji.plugin.key_signing').info('rpminfo: %s',str(build_rpms))
|
||||||
|
|
||||||
|
# Sign and write the RPMs
|
||||||
|
for rpm_info in build_rpms:
|
||||||
|
rpm_name = "%s.%s" % (rpm_info['nvr'],rpm_info['arch'])
|
||||||
|
key_signing_rpm(rpm_name)
|
||||||
|
kojifunctions.writeSignedRPM(rpm_name,gpg_key_id)
|
||||||
|
|
||||||
|
# If configured, tag for a testing repo
|
||||||
|
if send_to_testing:
|
||||||
|
kojifunctions.tagBuild(testing_tag,kws['build']['id'])
|
||||||
|
logging.getLogger('koji.plugin.key_signing').info('the package %s has been tagged to %s'%(kws['build']['name'],testing_tag))
|
||||||
|
|
||||||
|
def run_sigul(command):
|
||||||
|
child = subprocess.Popen(command, stdin=subprocess.PIPE,
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
stderr=subprocess.PIPE,shell=True)
|
||||||
|
child.stdin.write(passphrase + '\0')
|
||||||
|
ret = child.wait()
|
||||||
|
logging.getLogger('koji.plugin.key_signing').info('sigul returned with code: %s',ret)
|
||||||
|
if ret != 0:
|
||||||
|
logging.getLogger('koji.plugin.key_signing').error('sigul command failed: %s returned: %s',command,child.communicate())
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
def key_signing_rpm(rpm_name):
|
||||||
|
# Check to make sure the key works
|
||||||
|
command = "sigul --batch get-public-key %s" % gpg_key_name
|
||||||
|
run_sigul(command)
|
||||||
|
|
||||||
|
# Run the actual sign command
|
||||||
|
command = "sigul --batch sign-rpm --koji-only --store-in-koji --v3-signature %s %s" % (gpg_key_name, rpm_name)
|
||||||
|
logging.getLogger('koji.plugin.key_signing').info('running sigul command: %s',command)
|
||||||
|
run_sigul(command)
|
||||||
|
|
||||||
|
register_callback('postTag',key_signing)
|
6
templates/etc/koji-hub/plugins/key_signing.conf.j2
Normal file
6
templates/etc/koji-hub/plugins/key_signing.conf.j2
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
[signing]
|
||||||
|
passphrase = lol
|
||||||
|
gpg_key_name = 'testing-signing'
|
||||||
|
gpg_key_id = 'bbe2c108'
|
||||||
|
build_target = ['dist-rocky8']
|
||||||
|
testing_tag = 'dist-rocky8-testing'
|
Loading…
Reference in New Issue
Block a user