Support signing of rpm wrapped live images

With this patch, you can specify a command for signing of koji builds. For example: signing_key_password_file = '~/file_with_password_for_key_fedora-24' signing_key_id = '81b46521' signing_command = '~/git/releng/scripts/sigulsign_unsigned.py -vv --password=%(signing_key_password)s fedora-24' 'signing_key_password_file' is a path to a file which contains a password that will be formatted into 'signing_command' string via '%(signing_key_password)s' string format syntax (if used). Because pungi config is usualy stored in git and part of compose logs we don't want password to be included directly in the config. Note: If '-' is used instead of a filename, then you will be asked for the password interactivelly right after pungi starts. 'signing_key_id' is ID of the key that will be used for the signing. This ID will be used when crafting koji paths to signed files (kojipkgs.fedoraproject.org/packages/NAME/VER/REL/data/signed/KEYID/..). 'signing_command' a command that will be run with a build as a single argument. This command mustn't require any user interaction. If you need to pass a password for a signing key to the command, do this via command line option of the command with use of string formatting syntax '%(signing_key_password)s' (see details about 'signing_key_password_file'). Signed-off-by: Tomáš Mlčoch <tmlcoch@redhat.com>
2016-02-12 13:00:19 +01:00 · 2016-02-12 13:00:19 +01:00 · 5bffca5037
commit 5bffca5037
parent be4d596c36
3 changed files with 143 additions and 1 deletions
--- a/bin/pungi-koji
+++ b/bin/pungi-koji
@ -253,6 +253,43 @@ def run_compose(compose):
            print(i)
        sys.exit(1)

+    # PREP
+
+    # Note: This may be put into a new method of phase classes (e.g. .prep())
+    # in same way as .validate() or .run()
+
+    # Prep for liveimages - Obtain a password for signing rpm wrapped images
+    if ("signing_key_password_file" in compose.conf
+            and "signing_command" in compose.conf
+            and "%(signing_key_password)s" in compose.conf["signing_command"]
+            and not liveimages_phase.skip()):
+        # TODO: Don't require key if signing is turned off
+        # Obtain signing key password
+        signing_key_password = None
+
+        # Use appropriate method
+        if compose.conf["signing_key_password_file"] == "-":
+            # Use stdin (by getpass module)
+            try:
+                signing_key_password = getpass.getpass("Signing key password: ")
+            except EOFError:
+                compose.log_debug("Ignoring signing key password")
+                pass
+        else:
+            # Use text file with password
+            try:
+                signing_key_password = open(compose.conf["signing_key_password_file"], "r").readline().rstrip('\n')
+            except IOError:
+                # Filename is not print intentionally in case someone puts password directly into the option
+                err_msg = "Cannot load password from file specified by 'signing_key_password_file' option"
+                compose.log_error(err_msg)
+                print(err_msg)
+                sys.exit(1)
+
+        if signing_key_password:
+            # Store the password
+            compose.conf["signing_key_password"] = signing_key_password
+
    # INIT phase
    init_phase.start()
    init_phase.stop()