| |
@@ -38,17 +38,23 @@
|
| |
'CoreOS wants to sign '
|
| |
'%(build_id)s on %(stream)s for %(basearch)s' % msg.body
|
| |
)
|
| |
- self.dowork(msg.body)
|
| |
-
|
| |
- def dowork(self, contents):
|
| |
- # This is here and not in __init__ because we may want a stream or
|
| |
- # version-dependant key in the future.
|
| |
+ if msg.topic.endswith('.coreos.build.request.artifacts-sign'):
|
| |
+ objects = msg.body["artifacts"]
|
| |
+ elif msg.topic.endswith('.coreos.build.request.ostree-sign'):
|
| |
+ objects = [{
|
| |
+ 'file': msg.body["commit_object"],
|
| |
+ 'checksum': msg.body["checksum"],
|
| |
+ }]
|
| |
+ self.sign_objects(objects)
|
| |
+
|
| |
+ def sign_objects(self, objects):
|
| |
+ # Evaluation of the key is here and not in __init__ because we may want
|
| |
+ # a stream or version-dependant key in the future.
|
| |
key = self.config["coreos"]["key"]
|
| |
-
|
| |
tmpdir = tempfile.mkdtemp(prefix="/tmp/robosignatory-")
|
| |
try:
|
| |
- for artifact in contents["artifacts"]:
|
| |
+ for obj in objects:
|
| |
robosignatory.work.process_coreos(
|
| |
- self.signer, key, self.bucket, tmpdir, artifact)
|
| |
+ self.signer, key, self.bucket, tmpdir, obj)
|
| |
finally:
|
| |
shutil.rmtree(tmpdir)
|
| |
OSTree commit objects are a bit special from regular files. The signature is not directly a detached GPG signature file, but a special
commitmeta
object which contains the OSTree. Offhand, quickly looking at the code, I think we need to pass the OSTree commit separately down toprocess_coreos
, where it can usesign-ostree
instead ofsign-data
(or reuse thebuild_atomic_cmdline
).