#1932 per-tag settings for mock's sign plugin
Merged 2 years ago by tkopecek. Opened 2 years ago by tkopecek.
tkopecek/koji issue84  into  master

file modified
@@ -290,6 +290,19 @@ 

              opts['package_manager'] = self.config['extra']['mock.package_manager']

          if 'mock.yum.module_hotfixes' in self.config['extra']:

              opts['module_hotfixes'] = self.config['extra']['mock.yum.module_hotfixes']

+         # Append opts['plugin_conf'] to enable Mock package signing

+         if 'mock.plugin_conf.sign_enable' in self.config['extra']:

+             # check rest of configuration

+             if ('mock.plugin_conf.sign_cmd' not in self.config['extra'] or

+                'mock.plugin_conf.sign_opts' not in self.config['extra']):

+                 raise koji.GenericError("Tag is not configured properly for mock's sign plugin'")

+             opts['plugin_conf'] = {

+                 'sign_enable': self.config['extra']['mock.plugin_conf.sign_enable'],

+                 'sign_opts': {

+                     'cmd': self.config['extra']['mock.plugin_conf.sign_cmd'],

+                     'opts': self.config['extra']['mock.plugin_conf.sign_opts'],

+                 }

+             }

          if self.internal_dev_setup is not None:

              opts['internal_dev_setup'] = bool(self.internal_dev_setup)

          opts['tag_macros'] = {}

@@ -391,7 +391,7 @@ 


  * ``mock.package_manager`` - If this is set, it will override mock's default

    package manager. Typically used with ``yum`` or ``dnf`` values.

- * ``mock.new_chroot`` - 0/1 value. If it is set, `--new-chroot` or

+ * ``mock.new_chroot`` - 0/1 value. If it is set, ``--new-chroot`` or

    `--old-chroot` option is appended to any mock call. If it is not set,

    mock's default behavior is used.

  * ``mock.use_bootstrap`` - 0/1 value. If it is set, ``--bootstrap-chroot``
@@ -429,7 +429,21 @@ 


    - this option will automatically turn ``mock.use_bootstrap`` (this is how

      it is implemented in mock)


+ * ``mock.yum.module_hotfixes`` - 0/1 value. If set, yum/dnf will use packages

+   regardless if they come from modularity repo or not. It makes sense only for

+   tags with external repositories. (See dnf `docs

+   <https://dnf.readthedocs.io/en/latest/modularity.html#hotfix-repositories>`__)


+ * `mock signing plugin

+   <https://github.com/rpm-software-management/mock/wiki/Plugin-Sign>`__ -

+   Options ``mock.plugin_conf.sign_enable``, ``mock.plugin_conf.sign_cmd`` and

+   ``mock.plugin_conf.sign_opts`` are propagated to mock conf to be used by this

+   plugin. Note, that these tools are run outside of the jailed env. Note, that

+   this functionality doesn't interfere with koji's standard signing commands

+   (``import-sig``, ``write-signed-rpm``, etc.). Note, that rpmsign vs gpg must

+   be configured correctly. If it is not it a) can silently ignore problems

+   during signing b) can hang forever when e.g. gpg password store is not

+   accessible.


  You may also specify per-tag environment variables for mock to use.

  For example, to set the CC environment variable to clang, you could

file modified
+10 -1
@@ -1648,6 +1648,8 @@ 

          'yum_cache_enable': False,

          'root_cache_enable': False


+     # Append config_opts['plugin_conf'] to enable Mock package signing

+     plugin_conf.update(opts.get('plugin_conf', {}))


      macros = {

          '%_rpmfilename': '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm',
@@ -1689,7 +1691,14 @@ 


      for key in sorted(plugin_conf):

          value = plugin_conf[key]

-         parts.append("config_opts['plugin_conf'][%r] = %r\n" % (key, value))

+         # allow two-level dicts

+         if isinstance(value, dict):

+             parts.append("config_opts['plugin_conf'][%r] = {}\n" % key)

+             for key2 in sorted(value):

+                 value2 = value[key2]

+                 parts.append("config_opts['plugin_conf'][%r][%r] = %r\n" % (key, key2, value2))

+         else:

+             parts.append("config_opts['plugin_conf'][%r] = %r\n" % (key, value))



      if bind_opts:

pretty please pagure-ci rebuild

2 years ago

These entries do not normally exist in the dict. The entries from the latest mock config are:


@tkopecek just curious, will this properly record things in koji's sign functionality? Like list-signed and such will work?

I'm afraid, that not. It will behave like bare rpm, so it will skip the add_rpm_sig phase. Need to test, what mock's plugin will really create and maybe update the import_rpm method.

rebased onto 4f19754204b8adca37991e9173dd04da0c433de0

2 years ago

Ok, I've fixed one bug and tested that it will correctly parse/save signatures.

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

2 years ago

Thank you @tkopecek. Will this be pulled forward to the next Koji point release?

Yes, it is scheduled for 1.22 (not 1.21.1 as it is behaviour-changing patch)

:thumbsup: for the code
I think it is better to add some notes in doc to indicate that this does nothing to the sign functions of koji

rebased onto c2b42abe82cdaf269a2e4af3ff70d65b03e0f714

2 years ago

rebased onto 171a7d9b786a511c44691f468af1c1706ab9b7fd

2 years ago

Metadata Update from @mfilip:
- Pull-request tagged with: testing-done

2 years ago

pretty please pagure-ci rebuild

2 years ago

rebased onto 477fb48

2 years ago

Commit 62998b0 fixes this pull-request

Pull-Request has been merged by tkopecek

2 years ago