search

ceph / merfi

Finds and signs files with different signing tools (gpg, rpm-sign)
MIT License
3 stars 3 forks source link

RFE: verify rpm-sign has generated output #58

Closed ktdreyer closed 6 years ago

ktdreyer commented 6 years ago

Last week we ended up with some repos with zero-length InRelease files.

As far as I can tell the rpm-sign --clearsign command failed to write anything substantive to STDOUT. I'm still investigating with the relevant teams to understand how rpm-sign could've broken like that.

In the spirit of being strict in what we output, we should probably check that out.strip() != '' in merfi/backends/rpm_sign.py before writing to the InRelease file on disk, and raise RpmSignException if that happens.

ktdreyer commented 6 years ago

Looks like we are also throwing away the return code from the rpm-sign invocation. We should verify that is 0 as well.

ktdreyer commented 6 years ago

I have a branch at https://github.com/ktdreyer/merfi/tree/rpm-sign-checks . Still need to do some testing with real repos and real signing.

ktdreyer commented 6 years ago

Ok, tested and it works.