RpmSign: check --clearsign exit code and stdout

ceph / merfi

Finds and signs files with different signing tools (gpg, rpm-sign)

MIT License

3 stars 3 forks source link

RpmSign: check --clearsign exit code and stdout #60

Closed ktdreyer closed 6 years ago

ktdreyer commented 6 years ago

Prior to this change, if rpm-sign --clearsign exited with a non-zero exit code, we would not treat this as fatal, nor log anything at all.

Treat rpm-sign --clearsign failures as fatal, sanity-checking the exit code and the resulting stdout string.

ktdreyer commented 6 years ago

Fixes https://github.com/alfredodeza/merfi/issues/58

ktdreyer commented 6 years ago

@ahills @tserlin FYI

ktdreyer commented 6 years ago

The way I tested this was to create a dummy wrapper that would bail on --clearsign:

#!/bin/bash
# Fake rpm-sign that bails on --clearsign
set -eu

for OPTION in "$@"; do
  if [[ "--clearsign" = $OPTION ]]; then
    (>&2 echo "bailing on --clearsign")
    exit 0  # or exit 1 to test non-zero exit codes
  fi
done

exec /usr/bin/rpm-sign $@