| |
@@ -1,6 +1,8 @@
|
| |
import stat
|
| |
import os
|
| |
+ from hashlib import sha256
|
| |
|
| |
+ from six.moves.urllib.parse import urlparse
|
| |
import robosignatory.utils as utils
|
| |
|
| |
import logging
|
| |
@@ -59,3 +61,58 @@
|
| |
f.write(commitid + '\n')
|
| |
|
| |
log.info('Done')
|
| |
+
|
| |
+
|
| |
+ def process_coreos(signer, key, bucket, tmpdir, artifact):
|
| |
+ filepath = urlparse(artifact["file"]).path.lstrip("/")
|
| |
+ local_filepath = os.path.join(tmpdir, os.path.basename(filepath))
|
| |
+
|
| |
+ log.info("Downloading %s", filepath)
|
| |
+ bucket.download_file(filepath, local_filepath)
|
| |
+
|
| |
+ log.info("Checking %s", filepath)
|
| |
+ hasher = sha256()
|
| |
+ with open(local_filepath, "rb") as f:
|
| |
+ while True:
|
| |
+ content = f.read(1024)
|
| |
+ if not content:
|
| |
+ break
|
| |
+ hasher.update(content)
|
| |
+ h = hasher.hexdigest()
|
| |
+ if h != artifact["checksum"]:
|
| |
+ log.error("Incorrect SHA256 for %s, not signing", filepath)
|
| |
+ return
|
| |
+
|
| |
+ log.info("Signing %s", filepath)
|
| |
+ sig_filepath = local_filepath + ".sig"
|
| |
+ cmdline = signer.build_coreos_cmdline(
|
| |
+ key, local_filepath, sig_filepath)
|
| |
+ log.info('Signing command line: %s', cmdline)
|
| |
+ ret, stdout, stderr = utils.run_command(cmdline)
|
| |
+ if ret != 0:
|
| |
+ log.error('Error signing! Signing output: %s, stdout: %s, '
|
| |
+ 'stderr: %s', ret, stdout, stderr)
|
| |
+ return
|
| |
+ if not os.path.exists(sig_filepath):
|
| |
+ log.error("Signer did not produce any signature file for %s", filepath)
|
| |
+ return
|
| |
+ log.debug('Fixing signature file permissions')
|
| |
+ # Sigul writes it as 0600, which makes a lot of sense as a general file
|
| |
+ # mode for it, but this is just a signature file that we want published
|
| |
+ os.chmod(sig_filepath,
|
| |
+ (stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH))
|
| |
+
|
| |
+ log.info("Uploading signature for %s", filepath)
|
| |
+ bucket.upload_file(sig_filepath, filepath + ".sig")
|
| |
+ # Check the uploaded file
|
| |
+ uploaded = list(bucket.objects.filter(Prefix=filepath + ".sig"))
|
| |
+ if len(uploaded) != 1:
|
| |
+ log.warning("The signature for %s was not uploaded properly", filepath)
|
| |
+ elif uploaded[0].size != os.stat(sig_filepath).st_size:
|
| |
+ log.warning(
|
| |
+ "The uploaded signature for %s does not have the right size",
|
| |
+ filepath
|
| |
+ )
|
| |
+
|
| |
+ os.remove(local_filepath)
|
| |
+ os.remove(sig_filepath)
|
| |
This changeset adds a consumer to sign CoreOS artifacts.
I haven't tested it end-to-end yet because for now the CoreOS project does not produce the corresponding messages, but I think the code review can begin anyway.