search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.09k stars 5.47k forks source link

[BUG] Unsigned SRPM packages for RHEL 8 #61212

Open dkacar-oradian opened 2 years ago

dkacar-oradian commented 2 years ago

Description I was mirroring your RPM repository at https://repo.saltproject.io/py3/redhat/8/x86_64/latest with reposync -g and got these errors:

Removing Cython-0.29.6-2.el8.src.rpm: Package Cython-0.29.6-2.el8.src.rpm is not signed
Removing python-funcsigs-1.0.2-13.el8.src.rpm: Package python-funcsigs-1.0.2-13.el8.src.rpm is not signed
Removing python-libcloud-2.4.0-1.el8.src.rpm: Package python-libcloud-2.4.0-1.el8.src.rpm is not signed
Removing python-libcloud-3.2.0-1.el8.src.rpm: Package python-libcloud-3.2.0-1.el8.src.rpm is not signed
Removing python-mock-2.0.0-14.el8.src.rpm: Package python-mock-2.0.0-14.el8.src.rpm is not signed
Removing python-pbr-5.1.2-3.el8.src.rpm: Package python-pbr-5.1.2-3.el8.src.rpm is not signed
Removing python-typing-3.5.2.2-4.el8.src.rpm: Package python-typing-3.5.2.2-4.el8.src.rpm is not signed
Removing salt-3004-1.el8.src.rpm: Package salt-3004-1.el8.src.rpm is not signed
Error: GPG signature check failed.

All of those packages are in the SRPMS directory.

I can't put the mirroring script in a cron job because every invocation would spit out these errors and then that would go to a bunch of people who won't be happy with those reports.

So, please, make these errors go away.

Setup

I suppose you can invoke reposync -g in any kind of setup to reproduce the error. Or you can just manually inspect the packages. This one is fine:

> rpm -qi -p salt-3004-1.el8.noarch.rpm | grep '^Signature'
Signature   : RSA/SHA256, Wed 13 Oct 2021 02:46:12 AM CEST, Key ID 0e08a149de57bfbe

But SRPMs aren't:

> wget https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SRPMS/salt-3004-1.el8.src.rpm
> rpm -qi -p salt-3004-1.el8.src.rpm | grep '^Signature'
Signature   : (none)

Steps to Reproduce the behavior Not applicable.

Expected behavior All packages should be signed with Salt's GPG key.

Screenshots If applicable, add screenshots to help explain your problem.

Versions Report Not applicable.

Additional context

I didn't check the repository for other OS version(s). The same problem might be present there, as well.

bryceml commented 2 years ago

I believe this is a bug in salt https://github.com/saltstack/salt/blob/master/salt/modules/rpmbuild_pkgbuild.py#L745

it appears that the pkgbuild.repo state calls pkgbuild.make_repo and that function only scans the top level for rpms to sign, and not the SRPMS sub-folder.

https://github.com/saltstack/salt-pack-py3/blob/develop/file_roots/repo/redhat/rhel8/init.sls is where that state is run from.