@herlo suggested this, and it's definitely a nice enhancement.
Koji provides a way to check whether an RPM is signed.
Here's a quick proof of concept script:
import sys
import koji
session = koji.ClientSession("http://koji.fedoraproject.org/kojihub")
def filter_unsigned(sigs):
"""Filter the 'unsigned' entry
When RPM packages are not signed, Koji will add a sig entry for them in
its DB anyway.
However, Koji uses an empty string as the sigkey in such a case, which
makes it easy for us to filter it out.
"""
return filter(lambda x: x['sigkey'] != '', sigs)
def missing_sig(nvr, sigkey=None):
missing = []
build = session.getBuild(nvr)
rpms = session.listRPMs(buildID=build['id'])
for rpm in rpms:
sigs = session.queryRPMSigs(rpm_id=rpm['id'], sigkey=sigkey)
sigs = filter_unsigned(sigs)
if not sigs:
missing.append("%(nvr)s.%(arch)s.rpm" % rpm)
return missing
def print_summary(nvr):
print("Checking signatures for %s... " % nvr)
missing = missing_sig(nvr)
if len(missing):
print("-> Oh Noes!")
print(" - %s\n" % "\n - ".join(missing))
else:
print("-> All clear\n")
print_summary("firefox-26.0-5.fc20")
print_summary("firefox-26.0-6.fc21")It outputs:
Checking signatures for firefox-26.0-5.fc20...
-> All clear
Checking signatures for firefox-26.0-6.fc21...
-> Oh Noes!
- mozilla-crashreporter-firefox-debuginfo-26.0-6.fc21.i686.rpm
- firefox-26.0-6.fc21.i686.rpm
- firefox-debuginfo-26.0-6.fc21.i686.rpm
- firefox-debuginfo-26.0-6.fc21.x86_64.rpm
- mozilla-crashreporter-firefox-debuginfo-26.0-6.fc21.x86_64.rpm
- firefox-26.0-6.fc21.x86_64.rpm
- firefox-debuginfo-26.0-6.fc21.armv7hl.rpm
- firefox-26.0-6.fc21.armv7hl.rpm
- firefox-26.0-6.fc21.src.rpm
Integrating something like this in uptrack could be nice.
For example, it could be one more information in the various package listings.
Or it could be a new listing altogether, just like we have "problematic packages", we could have "unsigned packages".
One thing to note though is that it might significantly increase the time taken by uptrack-sync.
Maybe it could be a per-distro option, as some distros (especially in development stages) don't sign their packages.
@herlo suggested this, and it's definitely a nice enhancement.
Koji provides a way to check whether an RPM is signed.
Here's a quick proof of concept script:
It outputs:
Integrating something like this in uptrack could be nice.
For example, it could be one more information in the various package listings.
Or it could be a new listing altogether, just like we have "problematic packages", we could have "unsigned packages".
One thing to note though is that it might significantly increase the time taken by
uptrack-sync.Maybe it could be a per-distro option, as some distros (especially in development stages) don't sign their packages.