rocky-linux/peridot
4
0
Fork 0
mirror of https://github.com/rocky-linux/peridot.git synced 2024-11-18 03:11:24 +00:00
Code Issues Projects Releases Activity

Verify signature regardless of signing status

Browse Source 
We get "corrupted"/non-correctly signed RPMs from time to time and added a mechanism to verify signatures and resign if invalid. Unfortunately sometimes rpm --addsign can return a zero exit code regardless of actual error status. Because of this we should always verify signature after signing, this way if it's invalid, we can resign it.
This commit is contained in:
Mustafa Gezen 2022-07-27 08:28:37 +02:00
parent 5917a94c9f
commit 1703798d0e
Signed by untrusted user who does not match committer: mustafa
GPG Key ID: DCDF010D946438C1
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
peridot/keykeeper/v1/sign.go
View File

@ -213,7 +213,7 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
if err2 != nil {
s.log.Errorf("failed to add error details to status: %v", err2)
}
return nil, fmt.Errorf("failed to sign artifact %s: %v\nlogs: %s", artifact.Name, err, outBuf.String())
return nil, statusErr
}
_, err = s.storage.PutObject(newObjectKey, localPath)
if err != nil {
@ -251,6 +251,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
"--checksig", localPath,
}
cmd := gpgCmdEnv(exec.Command("rpm", opts...))
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Run()
if err != nil {
s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
@ -260,11 +262,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
}
var tries int
for {
res, err := rpmSign()
if err == nil {
return res, nil
}
err = verifySig()
res, _ := rpmSign()
err := verifySig()
if err == nil {
return res, nil
}