FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Build System

 
 
LinkBack Thread Tools
 
Old 12-17-2010, 06:19 AM
Paul B Schroeder
 
Default koji sign plugin

As a follow up to the recent thread on singing RPMs in koji...and the many times this question pops
up on the list. I've written some code that uses the koji plugin framework for signing packages.
I'm betting this may be useful to many folks that don't want/need sigul. It might also be useful
to get this into the koji-hub-plugins package?

At any rate, here is the code and an example config file.. sign.py goes into your PluginPath.
The config file needs to be readable by the apache user and should probably be chmoded 600. Also,
make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to install pexpect too.


sign.py:
# Koji callback for GPG signing RPMs before import
#
# Author:
# Paul B Schroeder <paulbsch "at" vbridges "dot" com>

from koji.plugin import register_callback
import logging

config_file = '/usr/lib/koji-hub-plugins/sign.conf'

def sign(cbtype, *args, **kws):
if kws['type'] != 'build':
return

# Get the tag name from the buildroot map
import sys
sys.path.insert(0, '/usr/share/koji-hub')
from kojihub import get_buildroot
br_id = kws['brmap'].values()[0]
br = get_buildroot(br_id)
tag_name = br['tag_name']

# Get GPG info using the config for the tag name
from ConfigParser import ConfigParser
config = ConfigParser()
config.read(config_file)
rpm = config.get(tag_name, 'rpm')
gpgbin = config.get(tag_name, 'gpgbin')
gpg_path = config.get(tag_name, 'gpg_path')
gpg_name = config.get(tag_name, 'gpg_name')
gpg_pass = config.get(tag_name, 'gpg_pass')

# Get the package paths set up
from koji import pathinfo
uploadpath = pathinfo.work()
rpms = '
for relpath in [kws['srpm']] + kws['rpms']:
rpms += '%s/%s ' % (uploadpath, relpath)

# Get the packages signed
import pexpect
logging.getLogger('koji.plugin.sign').info('Attemp ting to sign packages'
' (%s) with key "%s"' % (rpms, gpg_name))
rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
rpm_cmd += " --define '_gpgbin %s'" % gpgbin
rpm_cmd += " --define '_gpg_path %s'" % gpg_path
rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
pex = pexpect.spawn(rpm_cmd, timeout=1000)
pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
pex.sendline(gpg_pass)
i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
if i == 0:
logging.getLogger('koji.plugin.sign').info('Packag e sign successful!')
elif i == 1:
logging.getLogger('koji.plugin.sign').error('Pass phrase check failed!')
elif i == 2:
logging.getLogger('koji.plugin.sign').error('Packa ge sign skipped!')
elif i == 3:
logging.getLogger('koji.plugin.sign').error('Packa ge sign timed out!')
else:
logging.getLogger('koji.plugin.sign').error('Unexp ected sign result!')
if i != 0:
raise Exception, 'Package sign failed!'
pex.expect(pexpect.EOF)

register_callback('preImport', sign)


sign.conf:
[DEFAULT]
rpm = /bin/rpm
gpgbin = /usr/bin/gpg
gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg
gpg_name = My Company, Inc. <support@mycompany.com>
gpg_pass = my_passphrase

# Defaults can be overridden on a per-tag basis
[dist-foo-build]
gpg_name = My Other Company, Inc. <support@myothercompany.com>
gpg_pass = my_other_passphrase




Cheers...Paul...


--
---
Paul B Schroeder
<paulbsch "at" vbridges "dot" com>
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-17-2010, 06:56 AM
Oliver Falk
 
Default koji sign plugin

The gpg key must only be available on the hub host, right!?

-of

Paul B Schroeder <paulbsch@vbridges.com> schrieb:

>As a follow up to the recent thread on singing RPMs in koji...and the many times this question pops
>up on the list. I've written some code that uses the koji plugin framework for signing packages.
>I'm betting this may be useful to many folks that don't want/need sigul. It might also be useful
>to get this into the koji-hub-plugins package?
>
>At any rate, here is the code and an example config file.. sign.py goes into your PluginPath.
>The config file needs to be readable by the apache user and should probably be chmoded 600. Also,
>make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to install pexpect too.
>
>
>sign.py:
># Koji callback for GPG signing RPMs before import
>#
># Author:
># Paul B Schroeder <paulbsch "at" vbridges "dot" com>
>
>from koji.plugin import register_callback
>import logging
>
>config_file = '/usr/lib/koji-hub-plugins/sign.conf'
>
>def sign(cbtype, *args, **kws):
> if kws['type'] != 'build':
> return
>
> # Get the tag name from the buildroot map
> import sys
> sys.path.insert(0, '/usr/share/koji-hub')
> from kojihub import get_buildroot
> br_id = kws['brmap'].values()[0]
> br = get_buildroot(br_id)
> tag_name = br['tag_name']
>
> # Get GPG info using the config for the tag name
> from ConfigParser import ConfigParser
> config = ConfigParser()
> config.read(config_file)
> rpm = config.get(tag_name, 'rpm')
> gpgbin = config.get(tag_name, 'gpgbin')
> gpg_path = config.get(tag_name, 'gpg_path')
> gpg_name = config.get(tag_name, 'gpg_name')
> gpg_pass = config.get(tag_name, 'gpg_pass')
>
> # Get the package paths set up
> from koji import pathinfo
> uploadpath = pathinfo.work()
> rpms = '
> for relpath in [kws['srpm']] + kws['rpms']:
> rpms += '%s/%s ' % (uploadpath, relpath)
>
> # Get the packages signed
> import pexpect
> logging.getLogger('koji.plugin.sign').info('Attemp ting to sign packages'
> ' (%s) with key "%s"' % (rpms, gpg_name))
> rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
> rpm_cmd += " --define '_gpgbin %s'" % gpgbin
> rpm_cmd += " --define '_gpg_path %s'" % gpg_path
> rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
> pex = pexpect.spawn(rpm_cmd, timeout=1000)
> pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
> pex.sendline(gpg_pass)
> i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
> if i == 0:
> logging.getLogger('koji.plugin.sign').info('Packag e sign successful!')
> elif i == 1:
> logging.getLogger('koji.plugin.sign').error('Pass phrase check failed!')
> elif i == 2:
> logging.getLogger('koji.plugin.sign').error('Packa ge sign skipped!')
> elif i == 3:
> logging.getLogger('koji.plugin.sign').error('Packa ge sign timed out!')
> else:
> logging.getLogger('koji.plugin.sign').error('Unexp ected sign result!')
> if i != 0:
> raise Exception, 'Package sign failed!'
> pex.expect(pexpect.EOF)
>
>register_callback('preImport', sign)
>
>
>sign.conf:
>[DEFAULT]
>rpm = /bin/rpm
>gpgbin = /usr/bin/gpg
>gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg
>gpg_name = My Company, Inc. <support@mycompany.com>
>gpg_pass = my_passphrase
>
># Defaults can be overridden on a per-tag basis
>[dist-foo-build]
>gpg_name = My Other Company, Inc. <support@myothercompany.com>
>gpg_pass = my_other_passphrase
>
>
>
>
>Cheers...Paul...
>
>
>--
>---
>Paul B Schroeder
><paulbsch "at" vbridges "dot" com>
>--
>buildsys mailing list
>buildsys@lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/buildsys
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 12-17-2010, 06:58 AM
Paul B Schroeder
 
Default koji sign plugin

On 12/17/2010 01:56 AM, Oliver Falk wrote:
> The gpg key must only be available on the hub host, right!?
Correct.

>
> -of
>
> Paul B Schroeder<paulbsch@vbridges.com> schrieb:
>
>> As a follow up to the recent thread on singing RPMs in koji...and the many times this question pops
>> up on the list. I've written some code that uses the koji plugin framework for signing packages.
>> I'm betting this may be useful to many folks that don't want/need sigul. It might also be useful
>> to get this into the koji-hub-plugins package?
>>
>> At any rate, here is the code and an example config file.. sign.py goes into your PluginPath.
>> The config file needs to be readable by the apache user and should probably be chmoded 600. Also,
>> make sure you add sign to the Plugins option in hub.conf. Oh, you'll want to install pexpect too.
>>
>>
>> sign.py:
>> # Koji callback for GPG signing RPMs before import
>> #
>> # Author:
>> # Paul B Schroeder<paulbsch "at" vbridges "dot" com>
>>
>>from koji.plugin import register_callback
>> import logging
>>
>> config_file = '/usr/lib/koji-hub-plugins/sign.conf'
>>
>> def sign(cbtype, *args, **kws):
>> if kws['type'] != 'build':
>> return
>>
>> # Get the tag name from the buildroot map
>> import sys
>> sys.path.insert(0, '/usr/share/koji-hub')
>> from kojihub import get_buildroot
>> br_id = kws['brmap'].values()[0]
>> br = get_buildroot(br_id)
>> tag_name = br['tag_name']
>>
>> # Get GPG info using the config for the tag name
>> from ConfigParser import ConfigParser
>> config = ConfigParser()
>> config.read(config_file)
>> rpm = config.get(tag_name, 'rpm')
>> gpgbin = config.get(tag_name, 'gpgbin')
>> gpg_path = config.get(tag_name, 'gpg_path')
>> gpg_name = config.get(tag_name, 'gpg_name')
>> gpg_pass = config.get(tag_name, 'gpg_pass')
>>
>> # Get the package paths set up
>> from koji import pathinfo
>> uploadpath = pathinfo.work()
>> rpms = '
>> for relpath in [kws['srpm']] + kws['rpms']:
>> rpms += '%s/%s ' % (uploadpath, relpath)
>>
>> # Get the packages signed
>> import pexpect
>> logging.getLogger('koji.plugin.sign').info('Attemp ting to sign packages'
>> ' (%s) with key "%s"' % (rpms, gpg_name))
>> rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
>> rpm_cmd += " --define '_gpgbin %s'" % gpgbin
>> rpm_cmd += " --define '_gpg_path %s'" % gpg_path
>> rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
>> pex = pexpect.spawn(rpm_cmd, timeout=1000)
>> pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
>> pex.sendline(gpg_pass)
>> i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
>> if i == 0:
>> logging.getLogger('koji.plugin.sign').info('Packag e sign successful!')
>> elif i == 1:
>> logging.getLogger('koji.plugin.sign').error('Pass phrase check failed!')
>> elif i == 2:
>> logging.getLogger('koji.plugin.sign').error('Packa ge sign skipped!')
>> elif i == 3:
>> logging.getLogger('koji.plugin.sign').error('Packa ge sign timed out!')
>> else:
>> logging.getLogger('koji.plugin.sign').error('Unexp ected sign result!')
>> if i != 0:
>> raise Exception, 'Package sign failed!'
>> pex.expect(pexpect.EOF)
>>
>> register_callback('preImport', sign)
>>
>>
>> sign.conf:
>> [DEFAULT]
>> rpm = /bin/rpm
>> gpgbin = /usr/bin/gpg
>> gpg_path = /usr/lib/koji-hub-plugins/sign_gnupg
>> gpg_name = My Company, Inc.<support@mycompany.com>
>> gpg_pass = my_passphrase
>>
>> # Defaults can be overridden on a per-tag basis
>> [dist-foo-build]
>> gpg_name = My Other Company, Inc.<support@myothercompany.com>
>> gpg_pass = my_other_passphrase
>>
>>
>>
>>
>> Cheers...Paul...
>>
>>
>> --
>> ---
>> Paul B Schroeder
>> <paulbsch "at" vbridges "dot" com>
>> --
>> buildsys mailing list
>> buildsys@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/buildsys

--
---
Paul B Schroeder
<paulbsch "at" vbridges "dot" com>
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 02-03-2011, 01:24 PM
Pierre Guillet
 
Default koji sign plugin

Hello,

Thank you for your Koji callback.

I perform some modifications:
+ to handle DEFAULT section (if section for Tag name is not defined)
+ to support empty GPG pass-phrase
+ to work on localized OS

+ to log GPG messages if rpm --resign fails

Note: your GPG directory (gpg_path in .conf file) must be readable and writeable by apache (the user which runs Koji hub)

Regards,
Pierre


# Koji callback for GPG signing RPMs before import
#
# Author:
#**** Paul B Schroeder <paulbsch "at" vbridges "dot" com>

from koji.plugin import register_callback
import logging


# Configuration file in /etc like for other plugins
CONFIG_FILE = '/etc/koji-hub/plugins/sign.conf'

def sign(cbtype, *args, **kws):
*** if kws['type'] != 'build':
****** return


*** # Get the tag name from the buildroot map
*** import sys
*** sys.path.insert(0, '/usr/share/koji-hub')
*** from kojihub import get_buildroot
*** br_id = kws['brmap'].values()[0]
*** br = get_buildroot(br_id)

*** tag_name = br['tag_name']

*** # Get GPG info using the config for the tag name
*** import ConfigParser
*** config = ConfigParser.ConfigParser()
*** config.read(CONFIG_FILE)
*** try:
******* rpm = config.get(tag_name, 'rpm')

*** except ConfigParser.NoSectionError:
******* rpm = config.get(ConfigParser.DEFAULTSECT, 'rpm')
*** try:
******* gpgbin = config.get(tag_name, 'gpgbin')
*** except ConfigParser.NoSectionError:

******* gpgbin = config.get(ConfigParser.DEFAULTSECT, 'gpgbin')
*** try:
******* gpg_path = config.get(tag_name, 'gpg_path')
*** except ConfigParser.NoSectionError:
******* gpg_path = config.get(ConfigParser.DEFAULTSECT, 'gpg_path')

*** try:
******* gpg_name = config.get(tag_name, 'gpg_name')
*** except ConfigParser.NoSectionError:
******* gpg_name = config.get(ConfigParser.DEFAULTSECT, 'gpg_name')
*** try:
******* gpg_pass = config.get(tag_name, 'gpg_pass')

*** except ConfigParser.NoSectionError:
******* gpg_pass = config.get(ConfigParser.DEFAULTSECT, 'gpg_pass')

*** # Get the package paths set up
*** from koji import pathinfo
*** uploadpath = pathinfo.work()

*** rpms = '
*** for relpath in [kws['srpm']] + kws['rpms']:
****** rpms += '%s/%s ' % (uploadpath, relpath)

*** # Get the packages signed
*** import pexpect
*** import os

*** os.environ['LC_ALL'] = 'C'
*** logging.getLogger('koji.plugin.sign').info('Attemp ting to sign packages'
****** ' (%s) with key "%s"' % (rpms, gpg_name))
*** rpm_cmd = "%s --resign --define '_signature gpg'" % rpm

*** rpm_cmd += " --define '_gpgbin %s'" % gpgbin
*** rpm_cmd += " --define '_gpg_path %s'" % gpg_path
*** rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)

*** pex = pexpect.spawn(rpm_cmd, timeout=1000)
*** # Add rpm output to a temporary file
*** fout = os.tmpfile()
*** pex.logfile = fout
*** pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)

*** if not gpg_pass:
******* pex.sendline('
')
*** else:
******* pex.sendline(gpg_pass)
*** i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
*** pex.expect(pexpect.EOF)

*** if i == 0:
******* logging.getLogger('koji.plugin.sign').info('Packag e sign successful!')
*** elif i == 1:
******* logging.getLogger('koji.plugin.sign').error('Pass phrase check failed!')

*** elif i == 2:
******* logging.getLogger('koji.plugin.sign').error('Packa ge sign skipped!')
*** elif i == 3:
******* logging.getLogger('koji.plugin.sign').error('Packa ge sign timed out!')

*** else:
******* logging.getLogger('koji.plugin.sign').error('Unexp ected sign result!')
*** if i != 0:
******* # Rewind in rpm output
******* fout.seek(0)
******* # Add GPG errors to log

******* for line in fout.readlines():
*********** if 'gpg:' in line:
*************** logging.getLogger('koji.plugin.sign').error(line.r strip('
'))
******* fout.close()
******* raise Exception, 'Package sign failed!'

*** else:
******* fout.close()

register_callback('preImport', sign)





Regards,
Pierre



--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 
Old 02-03-2011, 04:20 PM
Paul B Schroeder
 
Default koji sign plugin

On 02/03/2011 08:24 AM, Pierre Guillet wrote:
> Hello,
>
> Thank you for your Koji callback.
>
> I perform some modifications:
> + to handle DEFAULT section (if section for Tag name is not defined)
That was added to the code I posted in the ticket:
https://fedorahosted.org/koji/ticket/203

> + to support empty GPG pass-phrase
> + to work on localized OS
> + to log GPG messages if rpm --resign fails
You may want to add these changes to what was posted in the ticket and
attach it there.

>
> Note: your GPG directory (gpg_path in .conf file) must be readable and
> writeable by apache (the user which runs Koji hub)
The location of the config file was also changed in what is posted in
the ticket.

Thanks for the updates...Paul..


>
> # Koji callback for GPG signing RPMs before import
> #
> # Author:
> # Paul B Schroeder <paulbsch "at" vbridges "dot" com>
>
> from koji.plugin import register_callback
> import logging
>
> # Configuration file in /etc like for other plugins
> CONFIG_FILE = '/etc/koji-hub/plugins/sign.conf'
>
> def sign(cbtype, *args, **kws):
> if kws['type'] != 'build':
> return
>
> # Get the tag name from the buildroot map
> import sys
> sys.path.insert(0, '/usr/share/koji-hub')
> from kojihub import get_buildroot
> br_id = kws['brmap'].values()[0]
> br = get_buildroot(br_id)
> tag_name = br['tag_name']
>
> # Get GPG info using the config for the tag name
> import ConfigParser
> config = ConfigParser.ConfigParser()
> config.read(CONFIG_FILE)
> try:
> rpm = config.get(tag_name, 'rpm')
> except ConfigParser.NoSectionError:
> rpm = config.get(ConfigParser.DEFAULTSECT, 'rpm')
> try:
> gpgbin = config.get(tag_name, 'gpgbin')
> except ConfigParser.NoSectionError:
> gpgbin = config.get(ConfigParser.DEFAULTSECT, 'gpgbin')
> try:
> gpg_path = config.get(tag_name, 'gpg_path')
> except ConfigParser.NoSectionError:
> gpg_path = config.get(ConfigParser.DEFAULTSECT, 'gpg_path')
> try:
> gpg_name = config.get(tag_name, 'gpg_name')
> except ConfigParser.NoSectionError:
> gpg_name = config.get(ConfigParser.DEFAULTSECT, 'gpg_name')
> try:
> gpg_pass = config.get(tag_name, 'gpg_pass')
> except ConfigParser.NoSectionError:
> gpg_pass = config.get(ConfigParser.DEFAULTSECT, 'gpg_pass')
>
> # Get the package paths set up
> from koji import pathinfo
> uploadpath = pathinfo.work()
> rpms = '
> for relpath in [kws['srpm']] + kws['rpms']:
> rpms += '%s/%s ' % (uploadpath, relpath)
>
> # Get the packages signed
> import pexpect
> import os
> os.environ['LC_ALL'] = 'C'
> logging.getLogger('koji.plugin.sign').info('Attemp ting to sign
> packages'
> ' (%s) with key "%s"' % (rpms, gpg_name))
> rpm_cmd = "%s --resign --define '_signature gpg'" % rpm
> rpm_cmd += " --define '_gpgbin %s'" % gpgbin
> rpm_cmd += " --define '_gpg_path %s'" % gpg_path
> rpm_cmd += " --define '_gpg_name %s' %s" % (gpg_name, rpms)
> pex = pexpect.spawn(rpm_cmd, timeout=1000)
> # Add rpm output to a temporary file
> fout = os.tmpfile()
> pex.logfile = fout
> pex.expect('(E|e)nter (P|p)ass (P|p)hrase:', timeout=1000)
> if not gpg_pass:
> pex.sendline('
')
> else:
> pex.sendline(gpg_pass)
> i = pex.expect(['good', 'failed', 'skipping', pexpect.TIMEOUT])
> pex.expect(pexpect.EOF)
> if i == 0:
> logging.getLogger('koji.plugin.sign').info('Packag e sign
> successful!')
> elif i == 1:
> logging.getLogger('koji.plugin.sign').error('Pass phrase check
> failed!')
> elif i == 2:
> logging.getLogger('koji.plugin.sign').error('Packa ge sign
> skipped!')
> elif i == 3:
> logging.getLogger('koji.plugin.sign').error('Packa ge sign timed
> out!')
> else:
> logging.getLogger('koji.plugin.sign').error('Unexp ected sign
> result!')
> if i != 0:
> # Rewind in rpm output
> fout.seek(0)
> # Add GPG errors to log
> for line in fout.readlines():
> if 'gpg:' in line:
>
> logging.getLogger('koji.plugin.sign').error(line.r strip('
'))
> fout.close()
> raise Exception, 'Package sign failed!'
> else:
> fout.close()
>
> register_callback('preImport', sign)
>
>
>
>
>
> Regards,
> Pierre
>
>
>
>
> --
> buildsys mailing list
> buildsys@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys

--
---
Paul B Schroeder
<paulbsch "at" vbridges "dot" com>
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
 

Thread Tools




All times are GMT. The time now is 01:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org