From 8f6535cacc27ff28f34f0b28ed4e103af8b452d8 Mon Sep 17 00:00:00 2001
From: "Brian C. Lane" <bcl@redhat.com>
Date: Thu, 16 Feb 2023 16:40:08 -0800
Subject: [PATCH] org.osbuild.rpm: Add some context to rpmkeys failure

This will hopefully help debug problems when the signature check fails.
You need to manually take the hash and look it up in the manifest
sources list to figure out what package failed since this stage doesn't
have access to sources.
---
 stages/org.osbuild.rpm | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/stages/org.osbuild.rpm b/stages/org.osbuild.rpm
index eb1c8083..359a5604 100755
--- a/stages/org.osbuild.rpm
+++ b/stages/org.osbuild.rpm
@@ -303,13 +303,17 @@ def main(tree, inputs, options):
 
     for filename, data in packages.items():
         if data.get("rpm.check_gpg"):
-            subprocess.run([
-                "rpmkeys",
-                *rpm_args,
-                "--root", tree,
-                "--checksig",
-                filename
-            ], cwd=pkgpath, stdout=subprocess.DEVNULL, check=True)
+            try:
+                subprocess.run([
+                    "rpmkeys",
+                    *rpm_args,
+                    "--root", tree,
+                    "--checksig",
+                    filename
+                ], cwd=pkgpath, stdout=subprocess.DEVNULL, check=True)
+            except Exception:
+                print(f"Signature check failed on {filename}, lookup package name in manifest.")
+                raise
 
     for source in ("/dev", "/sys", "/proc"):
         target = os.path.join(tree, source.lstrip("/"))