sources/ostree: support gpg verification

Add a new `gpgkeys` option that, if set, must contain a list of public keys. These keys will then be used by ostree to verify signed commits when pulling from the remote. If the `gpgkeys` option is missing, no verification will be attempted.
2020-03-24 09:30:50 +01:00 · 2020-03-24 09:30:50 +01:00 · e1b2803ae0
commit e1b2803ae0
parent d5cce89fd8
1 changed files with 12 additions and 1 deletions
--- a/sources/org.osbuild.ostree
+++ b/sources/org.osbuild.ostree
@ -7,12 +7,13 @@ import subprocess
 import uuid


-def ostree(*args, **kwargs):
+def ostree(*args, _input=None, **kwargs):
    args = list(args) + [f'--{k}={v}' for k, v in kwargs.items()]
    print(f"ostree " + " ".join(args), file=sys.stderr)
    subprocess.run(["ostree"] + args,
                   encoding="utf-8",
                   stdout=sys.stderr,
+                   input=_input,
                   check=True)


@ -32,13 +33,23 @@ def main(options, checksums, cache, output):
    for commit in checksums:
        remote = commits[commit]["remote"]
        url = remote["url"]
+        gpg = remote.get("gpgkeys", [])
        uid = str(uuid.uuid4())

+        extra_args = []
+        if not gpg:
+            extra_args += ["--no-gpg-verify"]
+
        ostree("remote", "add",
               "--no-gpg-verify",
+               *extra_args,
               uid, url,
               repo=repo_cache)

+        for key in gpg:
+            ostree("remote", "gpg-import", "--stdin", uid,
+                   repo=repo_cache, _input=key)
+
        # Transfer the commit: remote → cache
        print(f"pulling {commit}", file=sys.stderr)
        ostree("pull", uid, commit, repo=repo_cache)