aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--modules/buildsystem/manifests/signbot.pp4
-rwxr-xr-xmodules/buildsystem/templates/signbot/mga-signpackage30
-rw-r--r--modules/buildsystem/templates/signbot/sign-check-package4
-rw-r--r--modules/buildsystem/templates/signbot/sudoers.signpackage2
4 files changed, 37 insertions, 3 deletions
diff --git a/modules/buildsystem/manifests/signbot.pp b/modules/buildsystem/manifests/signbot.pp
index 7b69a17f..dbcba230 100644
--- a/modules/buildsystem/manifests/signbot.pp
+++ b/modules/buildsystem/manifests/signbot.pp
@@ -34,5 +34,9 @@ class buildsystem {
local_script { "sign-check-package":
content => template("buildsystem/signbot/sign-check-package")
}
+
+ local_script { "mga-signpackage":
+ content => template("buildsystem/signbot/mga-signpackage")
+ }
}
}
diff --git a/modules/buildsystem/templates/signbot/mga-signpackage b/modules/buildsystem/templates/signbot/mga-signpackage
new file mode 100755
index 00000000..8f207d83
--- /dev/null
+++ b/modules/buildsystem/templates/signbot/mga-signpackage
@@ -0,0 +1,30 @@
+#!/usr/bin/perl -w
+
+use strict;
+use warnings;
+use RPM4::Sign;
+use File::Spec;
+
+sub signpackage {
+ my ($file, $name, $path) = @_;
+
+ # check if parent directory is writable
+ my $parent = (File::Spec->splitpath($file))[1];
+ die "Unsignable package, parent directory is read-only"
+ unless -w $parent;
+
+ my $sign = RPM4::Sign->new(
+ name => $name,
+ path => $path,
+ passphrase => '',
+ );
+
+ $sign->rpmssign($file)
+}
+
+if (@ARGV != 3) {
+ exit 1;
+}
+
+signpackage(@ARGV);
+
diff --git a/modules/buildsystem/templates/signbot/sign-check-package b/modules/buildsystem/templates/signbot/sign-check-package
index 4c6d1937..b0b01576 100644
--- a/modules/buildsystem/templates/signbot/sign-check-package
+++ b/modules/buildsystem/templates/signbot/sign-check-package
@@ -13,7 +13,7 @@ keydir="$3"
tmpfile=`mktemp`
cp -pf "$file" "$tmpfile"
rpm --delsign "$tmpfile"
-/usr/bin/mga-signpackage "$tmpfile" "$key" "$keydir"
+/usr/local/bin/mga-signpackage "$tmpfile" "$key" "$keydir"
nbtry=0
while rpmsign -Kv "$tmpfile" 2>&1 | grep BAD
do
@@ -30,6 +30,6 @@ do
cp -pf "$file" "$tmpfile"
rpm --delsign "$tmpfile"
- /usr/bin/mga-signpackage "$tmpfile" "$key" "$keydir"
+ /usr/local/bin/mga-signpackage "$tmpfile" "$key" "$keydir"
done
mv -f "$tmpfile" "$file"
diff --git a/modules/buildsystem/templates/signbot/sudoers.signpackage b/modules/buildsystem/templates/signbot/sudoers.signpackage
index 19cacb0b..05653d30 100644
--- a/modules/buildsystem/templates/signbot/sudoers.signpackage
+++ b/modules/buildsystem/templates/signbot/sudoers.signpackage
@@ -1,2 +1,2 @@
-<%= sched_login %> ALL =(<%= login %>) NOPASSWD: /usr/bin/mga-signpackage
+<%= sched_login %> ALL =(<%= login %>) NOPASSWD: /usr/local/bin/mga-signpackage
<%= sched_login %> ALL =(<%= login %>) NOPASSWD: /usr/local/bin/sign-check-package
generated by cgit v1.2.1 (git 2.21.0) at 2025-05-25 10:49:46 +0000