Skip to content

Track unsigned packages #3

New issue
New issue
Open
Open
Track unsigned packages#3
Labels
enhancement
@bochecha

Description

@bochecha
bochecha
opened on Jan 23, 2014

@herlo suggested this, and it's definitely a nice enhancement.

Koji provides a way to check whether an RPM is signed.

Here's a quick proof of concept script:

import sys

import koji


session = koji.ClientSession("http://koji.fedoraproject.org/kojihub")


def filter_unsigned(sigs):
    """Filter the 'unsigned' entry

    When RPM packages are not signed, Koji will add a sig entry for them in
    its DB anyway.

    However, Koji uses an empty string as the sigkey in such a case, which
    makes it easy for us to filter it out.
    """
    return filter(lambda x: x['sigkey'] != '', sigs)


def missing_sig(nvr, sigkey=None):
    missing = []

    build = session.getBuild(nvr)
    rpms = session.listRPMs(buildID=build['id'])

    for rpm in rpms:
        sigs = session.queryRPMSigs(rpm_id=rpm['id'], sigkey=sigkey)
        sigs = filter_unsigned(sigs)

        if not sigs:
            missing.append("%(nvr)s.%(arch)s.rpm" % rpm)

    return missing


def print_summary(nvr):
    print("Checking signatures for %s... " % nvr)

    missing = missing_sig(nvr)

    if len(missing):
        print("-> Oh Noes!")
        print("   - %s\n" % "\n   - ".join(missing))

    else:
        print("-> All clear\n")


print_summary("firefox-26.0-5.fc20")
print_summary("firefox-26.0-6.fc21")

It outputs:

Checking signatures for firefox-26.0-5.fc20... 
-> All clear

Checking signatures for firefox-26.0-6.fc21... 
-> Oh Noes!
   - mozilla-crashreporter-firefox-debuginfo-26.0-6.fc21.i686.rpm
   - firefox-26.0-6.fc21.i686.rpm
   - firefox-debuginfo-26.0-6.fc21.i686.rpm
   - firefox-debuginfo-26.0-6.fc21.x86_64.rpm
   - mozilla-crashreporter-firefox-debuginfo-26.0-6.fc21.x86_64.rpm
   - firefox-26.0-6.fc21.x86_64.rpm
   - firefox-debuginfo-26.0-6.fc21.armv7hl.rpm
   - firefox-26.0-6.fc21.armv7hl.rpm
   - firefox-26.0-6.fc21.src.rpm

Integrating something like this in uptrack could be nice.

For example, it could be one more information in the various package listings.

Or it could be a new listing altogether, just like we have "problematic packages", we could have "unsigned packages".

One thing to note though is that it might significantly increase the time taken by uptrack-sync.

Maybe it could be a per-distro option, as some distros (especially in development stages) don't sign their packages.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions