Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make client updates download get signed builds if possible #5859

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Make client updates download get signed builds if possible #5859

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f8342a5
client `updates download`: get signed packages when possible
AdamWill Feb 28, 2025
7736639
client `updates download`: get key from dist-git if no file
AdamWill Mar 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions bodhi-client/bodhi/client/cli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@

import click
import munch
import requests

from bodhi.client import bindings, constants

Expand Down Expand Up @@ -773,6 +774,7 @@ def comment(update: str, text: str, karma: int, url: str, id_provider: str, clie
help=('Include debuginfo packages'))
@click.option('--updateid', help='Download update(s) by ID(s) (comma-separated list)')
@click.option('--builds', help='Download update(s) by build NVR(s) (comma-separated list)')
@click.option('--gpg/--no-gpg', help='Download GPG-signed packages', default=True)
@url_option
@add_options(openid_options)
@debug_option
Expand All @@ -797,10 +799,12 @@ def download(url: str, id_provider: str, client_id: str, **kwargs):
)
requested_arch = kwargs['arch']
debuginfo = kwargs['debuginfo']
gpg = kwargs['gpg']

del kwargs['staging']
del kwargs['arch']
del kwargs['debuginfo']
del kwargs['gpg']
# At this point we need to have reduced the kwargs dict to only our
# query options (updateid or builds)
if not any(kwargs.values()):
Expand Down Expand Up @@ -832,8 +836,69 @@ def download(url: str, id_provider: str, client_id: str, **kwargs):

for update in resp.updates:
click.echo(f"Downloading packages from {update['alias']}")
keyid = ''
if gpg:
# try to figure out the key ID we need to get signed packages
relnum = update['release']['version']
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't going to work for EPEL 10 updates after they are no longer the leading minor version. For example, currently EPEL 10.1 has a version of 10, but EPEL 10.0 has a version of 10.0.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, thanks, I did check an EPEL update but wasn't aware of that wrinkle. I'll try and deal with it. Just take the integer portion of the version, I guess?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I've done in a few other places is split on the dot in the version, which python handles well enough when there is no dot. Something like update['release']['version'].split('.')[0].

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, of course, i meant the concept, I can handle the execution :)

if update['release']['id_prefix'] == 'FEDORA-EPEL':
keyname = f'RPM-GPG-KEY-EPEL-{relnum}'
else:
keyname = f'RPM-GPG-KEY-fedora-{relnum}-primary'

# first try from a local file
keypath = f'/etc/pki/rpm-gpg/{keyname}'
if os.path.exists(keypath):
try:
ret = subprocess.run(
('gpg', '--list-packets', keypath),
capture_output=True,
text=True
)
except FileNotFoundError:
click.echo('WARNING: could not run gpg')
ret = None
else:
# try and get key file from dist-git
if update['release']['id_prefix'] == 'FEDORA-EPEL':
url = 'https://src.fedoraproject.org/rpms/epel-release'
url += f'/raw/epel{relnum}/f/{keyname}'
else:
url = 'https://src.fedoraproject.org/rpms/fedora-repos'
url += f'/raw/rawhide/f/{keyname}'
try:
resp = requests.get(url)
except requests.exceptions.RequestException as err:
click.echo(f'WARNING: Tried {url} to get key, failed with {err}')
resp = None
ret = None
if resp and resp.status_code == 200:
try:
ret = subprocess.run(
('gpg', '--list-packets', '-'),
input=resp.text,
capture_output=True,
text=True
)
except FileNotFoundError:
click.echo('WARNING: could not run gpg')
ret = None
elif resp:
click.echo(f'WARNING: Tried {url} to get key, got {resp.status_code}')
ret = None

if ret and not ret.returncode:
for line in ret.stdout.splitlines():
if 'keyid: ' in line:
keyid = line.split("keyid: ")[-1][-8:].lower()
elif ret:
click.echo('WARNING: gpg failed')

if not keyid:
click.echo('WARNING: could not find GPG key, packages will be unsigned')
for build in update['builds']:
args = ['koji', 'download-build']
if keyid:
args.append(f'--key={keyid}')
if debuginfo:
args.append('--debuginfo')
# subprocess is icky, but koji module doesn't
Expand Down
Loading