[jbosstools-issues] [JBoss JIRA] (JBDS-4616) signed rpm fetch job should verify the rpms are signed

Thu Nov 23 11:46:00 EST 2017

    [ https://issues.jboss.org/browse/JBDS-4616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13493472#comment-13493472 ] 

Nick Boldt commented on JBDS-4616:
----------------------------------

Doesn't seem to be working. 

{code}
11:40:51 ++ rpm -Kv rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.x86_64.rpm
11:40:53 + gpgcheck='rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.x86_64.rpm:
11:40:53     Header V3 RSA/SHA256 Signature, key ID a5787476: NOKEY
11:40:53     Header SHA1 digest: OK (3f968977bc4497273f440edf0520d2517188bb86)
11:40:53     V3 RSA/SHA256 Signature, key ID a5787476: NOKEY
11:40:53     MD5 digest: OK (f4fa9e25e499e519f143d9b0d0074d4d)'
{code} - https://dev-platform-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/Devstudio/view/jbosstools-releng/job/jbosstools-releng-push-to-staging-06-sign-rpm-fetch/16/console

But when I do this locally, it works:

{code}
cd /tmp
wget -q http://download-node-02.eng.bos.redhat.com/devel/candidates/jboss/devstudio/devstudio-11.1.0/rpms/signed//rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.x86_64.rpm
wget -q http://download-node-02.eng.bos.redhat.com/devel/candidates/jboss/devstudio/devstudio-11.1.0/rpms/signed//rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.src.rpm

  for theFile in *.rpm; do
    echo "[DEBUG] Check pgp signature in ${theFile} ..."
    gpgcheck="$(rpm -Kv ${theFile})"
    if [[ ! $(echo ${gpgcheck} | grep "key ID a5787476: OK") ]]; then
      echo "[ERROR] rpm ${theFile} is not signed!"
      echo "[ERROR] ${gpgcheck}"
    else
      echo "[INFO] "$(rpm -K ${theFile})
    fi
  done
{code}
...
{code}
[DEBUG] Check pgp signature in rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.src.rpm ...
[INFO] rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.src.rpm: rsa sha1 (md5) pgp md5 OK
[DEBUG] Check pgp signature in rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.x86_64.rpm ...
[INFO] rh-eclipse47-devstudio-11.1-0.20171026.1132.el7.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
{code}

Do I need to destroy the slaves and re-create them?

> signed rpm fetch job should verify the rpms are signed
> ------------------------------------------------------
>
>                 Key: JBDS-4616
>                 URL: https://issues.jboss.org/browse/JBDS-4616
>             Project: Red Hat JBoss Developer Studio (devstudio)
>          Issue Type: Bug
>          Components: build, rpm
>    Affects Versions: 11.1.0.GA
>            Reporter: Nick Boldt
>            Assignee: Pavol Srna
>             Fix For: 11.2.0.AM2
>
>
> Currently, the job that fetches the signed devstudio rpms can't automatically verify the rpms are signed because the key is not installed on the slaves.
> https://dev-platform-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/Devstudio/view/jbosstools-releng/job/jbosstools-releng-push-to-staging-06-sign-rpm-fetch/11/console
> So, we need to fix that so that the job can verify signing has occurred and speed up the release process.

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)