Short answer: this command doesn't work very well

This command is old and hasn't really been touched or used much since the very beginning. There are two main issues. One, it relies on local read-only access to /mnt/koji to determine if a signed copy is presetn. Two, unless you specify a build, it's going to query all signature entries in the db. The latter was once dumb and slow, but with the current database it's simply broken.

Depending on what you need, you may have better luck with koji list-tagged --sigs.

Short answer: this command doesn't work very well

Thanks for the info - is it worth fixing? Should we use this issue to track fixing?

Depending on what you need, you may have better luck with koji list-tagged --sigs.'

I want to do two things:

• determine if a build is signed (remotely)
• determine any builds in a tag that aren't signed

Any suggestions for those two use cases?

Signed isn't as simple as yes/no, and it isn't a property of the build, but of the individual rpms that the build contains.

Koji can track multiple signatures for an rpm. These are stored as detached signature headers. Koji can write out signed copies of an rpm for any signature that it has.

So, for a given rpm, Koji might have 0 or more available signatures, and these may or may not have signed copies. There is no guarantee that all the rpms in a given build have the same set of signatures or signed copies.

Perhaps it would make sense to extend koji buildinfo with this info? ie, have it say what detached sigs it has and what written out signed rpms it has?

That would solve the first issue, the second one seems more like a compose issue than a koji one. I know pungi will tell you this if you try and gather from a tag and they are not all signed.