osbuild/rpm: set check_gpg per-package

Rather than passing an array of checksums, pass an array of objects with package properties. One is the `checksum`, which is required, and in addition to that we now pass the boolean check_gpg, which indicates that that RPM should have its GPG signature verified. Signed-off-by: Tom Gundersen <teg@jklm.no>
2020-06-07 22:15:07 +02:00 · 2020-06-07 22:15:07 +02:00 · 5c3f4193e5
commit 5c3f4193e5
parent 42de929adb
5 changed files with 40 additions and 11 deletions
--- a/internal/distro/fedora31/distro.go
+++ b/internal/distro/fedora31/distro.go
@ -495,9 +495,13 @@ func (r *imageType) rpmStageOptions(repos []rpmmd.RepoConfig, specs []rpmmd.Pack
 		gpgKeys = append(gpgKeys, repo.GPGKey)
 	}

-	var packages []string
+	var packages []osbuild.RPMPackage
 	for _, spec := range specs {
-		packages = append(packages, spec.Checksum)
+		pkg := osbuild.RPMPackage{
+			Checksum: spec.Checksum,
+			CheckGPG: spec.CheckGPG,
+		}
+		packages = append(packages, pkg)
 	}

 	return &osbuild.RPMStageOptions{
--- a/internal/distro/fedora32/distro.go
+++ b/internal/distro/fedora32/distro.go
@ -310,9 +310,13 @@ func (t *imageType) rpmStageOptions(arch architecture, repos []rpmmd.RepoConfig,
 		gpgKeys = append(gpgKeys, repo.GPGKey)
 	}

-	var packages []string
+	var packages []osbuild.RPMPackage
 	for _, spec := range specs {
-		packages = append(packages, spec.Checksum)
+		pkg := osbuild.RPMPackage{
+			Checksum: spec.Checksum,
+			CheckGPG: spec.CheckGPG,
+		}
+		packages = append(packages, pkg)
 	}

 	return &osbuild.RPMStageOptions{
--- a/internal/distro/rhel8/distro.go
+++ b/internal/distro/rhel8/distro.go
@ -316,9 +316,13 @@ func (t *imageType) rpmStageOptions(arch architecture, repos []rpmmd.RepoConfig,
 		gpgKeys = append(gpgKeys, repo.GPGKey)
 	}

-	var packages []string
+	var packages []osbuild.RPMPackage
 	for _, spec := range specs {
-		packages = append(packages, spec.Checksum)
+		pkg := osbuild.RPMPackage{
+			Checksum: spec.Checksum,
+			CheckGPG: spec.CheckGPG,
+		}
+		packages = append(packages, pkg)
 	}

 	return &osbuild.RPMStageOptions{
--- a/internal/osbuild/rpm_stage.go
+++ b/internal/osbuild/rpm_stage.go
@ -6,8 +6,17 @@ package osbuild
 // content hash. This ensures that given a set of RPM stage options,
 // the output is be reproducible, if the underlying tools are.
 type RPMStageOptions struct {
-	GPGKeys  []string `json:"gpgkeys,omitempty"`
-	Packages []string `json:"packages"`
+	GPGKeys  []string     `json:"gpgkeys,omitempty"`
+	Packages []RPMPackage `json:"packages"`
+}
+
+// RPMPackage represents one RPM, as referenced by its content hash
+// (checksum). The files source must indicate where to fetch the given
+// RPM. If CheckGPG is `true` the RPM must be signed with one of the
+// GPGKeys given in the RPMStageOptions.
+type RPMPackage struct {
+	Checksum string `json:"checksum"`
+	CheckGPG bool   `json:"check_gpg,omitempty"`
 }

 func (RPMStageOptions) isStageOptions() {}
--- a/internal/osbuild/stage_test.go
+++ b/internal/osbuild/stage_test.go
@ -187,12 +187,20 @@ func TestStage_UnmarshalJSON(t *testing.T) {
 			fields: fields{
 				Name: "org.osbuild.rpm",
 				Options: &RPMStageOptions{
-					GPGKeys:  []string{"key1", "key2"},
-					Packages: []string{"checksum1", "checksum2"},
+					GPGKeys: []string{"key1", "key2"},
+					Packages: []RPMPackage{
+						{
+							Checksum: "checksum1",
+						},
+						{
+							Checksum: "checksum2",
+							CheckGPG: true,
+						},
+					},
 				},
 			},
 			args: args{
-				data: []byte(`{"name":"org.osbuild.rpm","options":{"gpgkeys":["key1","key2"],"packages":["checksum1","checksum2"]}}`),
+				data: []byte(`{"name":"org.osbuild.rpm","options":{"gpgkeys":["key1","key2"],"packages":[{"checksum":"checksum1"},{"checksum":"checksum2","check_gpg":true}]}}`),
 			},
 		},
 		{