From 72ee6e077c4c5c93dfc5460430a862ebf445e54e Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Mon, 9 Sep 2024 10:09:03 +0200 Subject: [PATCH] ensure things are properly signed before uploading to stage --- upload_stage_rpms | 4 ++++ verify_stage_sigs | 28 ++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100755 verify_stage_sigs diff --git a/upload_stage_rpms b/upload_stage_rpms index 050a754..3ad1a37 100755 --- a/upload_stage_rpms +++ b/upload_stage_rpms @@ -5,4 +5,8 @@ USER='yumrepostage' HOST='web01.osuosl.theforeman.org' +if [[ "${VERSION}" != "nightly" ]]; then + ./verify_stage_sigs +fi + rsync --checksum --times --perms --recursive --links --verbose --partial --one-file-system --delete-after "tmp/$PROJECT/$VERSION/" "$USER@$HOST:rsync_cache/$PROJECT/$VERSION/" diff --git a/verify_stage_sigs b/verify_stage_sigs new file mode 100755 index 0000000..8d36312 --- /dev/null +++ b/verify_stage_sigs @@ -0,0 +1,28 @@ +#!/bin/bash + +set -e + +. settings + +ARCHES="x86_64 source" + +EXIT_CODE=0 + +for os in $OSES; do + BASE="tmp/$PROJECT/$VERSION/$os" + + for arch in $ARCHES; do + UNSIGNED_RPMS=$(./list_unsigned_rpms "$BASE/$arch" "$HALFGPGKEY") + + if [[ -n "$UNSIGNED_RPMS" ]]; then + echo "$UNSIGNED_RPMS" + EXIT_CODE=1 + fi + done +done + +if [[ "${EXIT_CODE}" != "0" ]]; then + echo "RPMs not signed with ${HALFGPGKEY} found, aborting" +fi + +exit ${EXIT_CODE}