Sign RPM package during testing and verify GPG signatures

Related: RHBZ#2177699
2023-03-27 11:09:51 +03:00 · 2023-03-27 11:09:51 +03:00 · 5e6d47e9d0
commit 5e6d47e9d0
parent 58cb12eeaa
1 changed files with 13 additions and 2 deletions
--- a/test/cases/regression-insecure-repo.sh
+++ b/test/cases/regression-insecure-repo.sh
@ -37,9 +37,18 @@ openssl req -new -newkey rsa:4096 -days 1 -nodes -x509 \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=Org/CN=osbuild.org" \
    -keyout "${keyfile}" -out "${certfile}"

+greenprint "Generate GPG key to sign custom RPMs are repo metadata"
+gpg --batch --passphrase '' --quick-gen-key testing@redhat.com default default
+gpg_pubkey=$(gpg --armor --export testing@redhat.com)
+
+cat <<EOF > ~/.rpmmacros
+%_gpg_name testing@redhat.com
+EOF
+
+
 greenprint "Creating dummy rpm and repo"
 # make a dummy rpm and repo to test payload_repositories
-sudo dnf install -y rpm-build createrepo
+sudo dnf install -y rpm-build rpm-sign createrepo
 dummyrpmdir=$(mktemp -d)
 dummyspecfile="$dummyrpmdir/dummy.spec"

@ -62,6 +71,7 @@ EOF

 mkdir -p "DUMMYRPMDIR/rpmbuild"
 rpmbuild --quiet --define "_topdir $dummyrpmdir/rpmbuild" -bb "$dummyspecfile"
+rpmsign --addsign "${dummyrpmdir}"/rpmbuild/RPMS/noarch/*.rpm

 mkdir -p "${dummyrpmdir}/repo"
 cp "${dummyrpmdir}"/rpmbuild/RPMS/noarch/*rpm "$dummyrpmdir/repo"
@ -105,7 +115,8 @@ name = "test repository"
 type = "yum-baseurl"
 url = "${websrvurl}"
 rhsm = false
-check_gpg = false
+check_gpg = true
+gpgkeys = ['''${gpg_pubkey}''']
 check_ssl = false
 EOF