koji-tools

Clone
Source Code
GIT

#69 verify rpm checksum data if available
Merged 5 months ago by tkopecek. Opened 5 months ago by mikem.
mikem/koji-tools check-rpm-sums  into  master

file modified
+39 -1 
@@ -415,6 +415,7 @@ 
 

          self.check_rpm_sigs()
 

          if not self.options.no_sums:
 

              self.verify_rpms()
 

+             self.check_rpm_sums()
 

          self.check_archives()
 

          if not self.options.no_sums:
 

              self.verify_archives()
 
@@ -619,6 +620,42 @@ 
 

                  stats.increment('signed_copy.check')
 

                  self.verify_rpm(fn, ts, size)
 

  

+     def check_rpm_sums(self):
 

+         '''Validate signature data on disc'''
 

+         if self.options.no_sums:
 

+             return
 

+         build = self.build
 

+         sums = {}
 

+         with session.multicall(strict=False) as m:
 

+             for rpminfo in self.rpms:
 

+                 sums[rpminfo['id']] = m.getRPMChecksums(rpm_id=rpminfo['id'], cacheonly=True)
 

+                 # cacheonly: no point in checking if it isn't already in the db
 

+         try:
 

+             sums = {i: sums[i].result for i in sums}
 

+         except koji.GenericError as e:
 

+             if 'Invalid method:' in str(e):
 

+                 logger.warning('Server does not support rpm checksums')
 

+                 return
 

+             raise
 

+         sumtype_priority = ['sha256', 'sha1', 'md5']
 

+         for rpminfo in self.rpms:
 

+             for sigkey in sums[rpminfo['id']]:
 

+                 ksums = sums[rpminfo['id']][sigkey]
 

+                 signed = os.path.join(self.build_dir, koji.pathinfo.signed(rpminfo, sigkey))
 

+                 if not os.path.exists(signed):
 

+                     # this is ok
 

+                     continue
 

+                 for sumtype in sumtype_priority:
 

+                     if sumtype not in ksums:
 

+                         continue
 

+                     start = time.time()
 

+                     self.verify_checksum(signed, sumtype, ksums[sumtype])
 

+                     elapsed = time.time() - start
 

+                     stats.increment('rpmchecksum.checked')
 

+                     stats.increment('rpmchecksum.time', elapsed)
 

+                     # checking a single checksum is enough
 

+                     break
 

+ 

      def check_archives(self):
 

          build = self.build
 

          # first gather archives
 
@@ -677,7 +714,8 @@ 
 

  

      def verify_checksum(self, fn, sumtype, expect):
 

          try:
 

-             sumtype = koji.CHECKSUM_TYPES[sumtype]
 

+             if isinstance(sumtype, int):
 

+                 sumtype = koji.CHECKSUM_TYPES[sumtype]
 

          except KeyError:
 

              logger.error('Unknown sum type %s for %s', sumtype, fn)
 

              stats.increment('checksum.unsupported')

The getRPMChecksums call was recently added. If available, it gives us additional data for verification.

Commit 45d8c9c fixes this pull-request

Pull-Request has been merged by tkopecek
5 months ago

Pull-Request has been merged by tkopecek
5 months ago
Metadata
None
No Tags
Changes Summary 1
+39 -1
file changed
src/bin/koji-check-builds
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.