Verify signature regardless of signing status

We get "corrupted"/non-correctly signed RPMs from time to time and added a mechanism to verify signatures and resign if invalid. Unfortunately sometimes rpm --addsign can return a zero exit code regardless of actual error status. Because of this we should always verify signature after signing, this way if it's invalid, we can resign it.
2022-07-27 08:28:37 +02:00 · 2022-07-27 08:28:37 +02:00 · 1703798d0e
parent 5917a94c9f
commit 1703798d0e
1 changed files with 5 additions and 6 deletions
--- a/peridot/keykeeper/v1/sign.go
+++ b/peridot/keykeeper/v1/sign.go
@ -213,7 +213,7 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
 				if err2 != nil {
 					s.log.Errorf("failed to add error details to status: %v", err2)
 				}
-				return nil, fmt.Errorf("failed to sign artifact %s: %v\nlogs: %s", artifact.Name, err, outBuf.String())
+				return nil, statusErr
 			}
 			_, err = s.storage.PutObject(newObjectKey, localPath)
 			if err != nil {
@ -251,6 +251,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
 				"--checksig", localPath,
 			}
 			cmd := gpgCmdEnv(exec.Command("rpm", opts...))
+			cmd.Stdout = os.Stdout
+			cmd.Stderr = os.Stderr
 			err := cmd.Run()
 			if err != nil {
 				s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
@ -260,11 +262,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
 		}
 		var tries int
 		for {
-			res, err := rpmSign()
-			if err == nil {
-				return res, nil
-			}
-			err = verifySig()
+			res, _ := rpmSign()
+			err := verifySig()
 			if err == nil {
 				return res, nil
 			}