[projects/pld-ftp-admin] Add option to force resigning packages
baggins
baggins at pld-linux.org
Fri Feb 7 11:29:01 CET 2025
commit 8270b7e45fc8021f996e440de323579817c76515
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Fri Feb 7 10:19:29 2025 +0100
Add option to force resigning packages
Implemented by first removing the signature and then adding it back,
because rpm will refuse to resign if same signature is already present.
The reson is that some old rpm created malformed signatures that are
causing verification failures with strict OpenPGP implementations, such
as rpm-sequoia, and in turn make such package uninstallable and
unremovable without passing '--nosignature' to rpm <-e|-u|-i>.
error: rpmdbNextIterator: skipping h# 479
Header DSA signature: BAD (header tag 267: invalid OpenPGP signature: Parsing an OpenPGP packet:
Failed to parse Signature Packet
because: Signature appears to be created by a non-conformant OpenPGP implementation, see <https://github.com/rpm-software-management/rpm/issues/2351>.
because: Malformed MPI: leading bit is not set: expected bit 8 to be set in 11011 (1b))
bin/pfa-signpkg | 17 +++++++++++++----
modules/sign.py | 15 ++++++++++++---
2 files changed, 25 insertions(+), 7 deletions(-)
---
diff --git a/bin/pfa-signpkg b/bin/pfa-signpkg
index beff543..91ca8ae 100755
--- a/bin/pfa-signpkg
+++ b/bin/pfa-signpkg
@@ -16,10 +16,10 @@ from sign import is_signed, signpkgs
os.umask(0o022)
try:
- opts, args = getopt.getopt(sys.argv[1:], '')
+ opts, args = getopt.getopt(sys.argv[1:], 'f', ['force'])
except getopt.GetoptError:
print("ERR: options error", file=sys.stderr)
- print("sign.py tree package1 [package2...]", file=sys.stderr)
+ print("sign.py [-f|--force] tree package1 [package2...]", file=sys.stderr)
sys.exit(1)
if len(args) < 1:
@@ -31,6 +31,15 @@ if sign_key == None:
print("ERR: sign_key not defined in config", file=sys.stderr)
sys.exit(1)
+force_resign = False
+
+for o, a in opts:
+ if o in ("-f", "--force"):
+ force_resign = True
+ else:
+ print("ERR: Unknown option", file=sys.stderr)
+ sys.exit(1)
+
treename = args[0]
packages = args[1:]
@@ -69,7 +78,7 @@ print("Checking signatures of %d files from %d packages" % (len(files), len(tree
sign = []
n = c = 0
for file in files:
- if not is_signed(file):
+ if force_resign or not is_signed(file):
sign.append(file)
c += 1
n += 1
@@ -112,7 +121,7 @@ password = getpass.getpass("Enter signing password: ")
try:
for x in chunk(sign, 512):
print("Signing %d files" % len(x))
- signpkgs(x, password)
+ signpkgs(x, password, force_resign)
except OSError as e:
print("ERR: %s" % e, file=sys.stderr)
exit(1)
diff --git a/modules/sign.py b/modules/sign.py
index dc5cc4f..eb31c2e 100644
--- a/modules/sign.py
+++ b/modules/sign.py
@@ -38,15 +38,24 @@ def is_signed(rpm_file):
return sign_key == sigid[-len(sign_key):]
-def signpkgs(files, password):
+def signpkgs(files, password, force=False):
if not os.path.isfile('/usr/bin/gpg'):
raise OSError('Missing gnupg binary')
if not os.path.isfile('/bin/rpm'):
raise OSError('Missing rpm binary')
os.putenv('LC_ALL', 'C')
- args = ['--resign', '--define', '_signature gpg', '--define', '_gpg_name ' + sign_key] + files
- child = pexpect.spawn('/bin/rpm', args, encoding='utf-8')
+ args = ['--define', '_signature gpg', '--define', '_gpg_name ' + sign_key] + files
+ if force:
+ child = pexpect.spawn('/bin/rpm', ['--delsign'] + args, encoding='utf-8')
+ child.logfile_read = sys.stderr
+ child.expect(pexpect.EOF, timeout=None)
+ child.close()
+ rc = child.exitstatus
+ if rc != 0:
+ raise OSError('package re-signing failed')
+
+ child = pexpect.spawn('/bin/rpm', ['--resign'] + args, encoding='utf-8')
child.logfile_read = sys.stderr
# TODO: we need a smarter way to figuring out if rpm already stored password in gpg-agent
try:
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/projects/pld-ftp-admin.git/commitdiff/8270b7e45fc8021f996e440de323579817c76515
More information about the pld-cvs-commit
mailing list