Feature Request: Signing RPMs

tarantool / mkrepo

Maintain DEB and RPM repositories on S3

69 stars 24 forks source link

Feature Request: Signing RPMs #4

Open geoghegan opened 7 years ago

geoghegan commented 7 years ago

It looks like mkrepo can only sign an RPM repo's metadata, not the actual RPM file itself.

It would be a really cool feature if mkrepo could:

Pull down the RPMs from the s3 bucket's Packages directory
Check if the RPMs are signed using the key specified in ~/. rpmmacros or the default key in GPG
If and only if the RPMs are not signed with the key specified in ~/.rpmmacros or the default key in GPG, sign the RPMs
Upload the signed RPMs to the Packages directory in the s3 bucket
Sign the repo metadata (which it already does)

knazarov commented 7 years ago

@geoghegan yes, that will be nice to have. To implement that, the rpmfile module will need to be extended to write file metadata.

And, we need to somehow detect the lack of signature just by looking at the metadata.

geoghegan commented 7 years ago

In bash, the signature can be checked by doing:

# Check if RPM is signed, bail if it is
SIGNING_CHECK=$(rpm --verbose --checksig $FILENAME)
echo $SIGNING_CHECK | grep -q "key ID $KEYID"
if [ $? -eq 0 ]; then
  echo "RPM Signed as $SIGNING_CHECK -- bailing"
  exit 1
fi
echo "RPM Not Signed"

What becomes annoying is piping in the GPG key's password to rpm --sign. The work around I've found, at least in bash, is by using the expect command in the following snippet of code:

expect <<EOD
  spawn bash -c "rpm --addsign $FILENAME"
  expect "Enter pass phrase:"
  send "${GPG_PASS}\r"
  expect eof
EOD

The steps I have in my initial feature request might sound a bit strange, however it allows people to decouple the build and deploy of unsigned RPMs, with mkrepo responsible for "promoting" the signed packages by pulling down the unsigned RPM, signing, and redeploying to an S3 bucket

knazarov commented 7 years ago

@geoghegan It's clear how to check for signature, when the file is present on local machine. But imagine you are running mkrepo against an s3 bucket. Then you'll have to basically download every package to check if it's signed. We need a way to detect the presence of file signature from central metadata file.

OR, alternatively, we can just assume that every file that exists in the metadata was already handled by us, and should have been signed.

As for signing using gpg, there are a few functions in mkrepo that already handle interactive prompt, as the metadata files are signed using gpg.

knazarov commented 7 years ago

It'd be really nice if anyone could help with writing code that injects signature into RPM files. It shouldn't be that hard, as the file format is pretty straightforward.

geoghegan commented 7 years ago

Yeah, it would be nice to check the metadata of the RPMs without downloading them - that is difficult, though, unless you can guarantee that all RPMs in the repo are already signed - e.g. only "new" RPMs are unsigned.