launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #23912
[Merge] lp:~twom/launchpad/per-series-signing-keys into lp:launchpad
Tom Wardill has proposed merging lp:~twom/launchpad/per-series-signing-keys into lp:launchpad.
Commit message:
Start with the matching series, not the first.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
Related bugs:
Bug #1841568 in Launchpad itself: "Signing keys should be per series"
https://bugs.launchpad.net/launchpad/+bug/1841568
For more details, see:
https://code.launchpad.net/~twom/launchpad/per-series-signing-keys/+merge/371891
--
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~twom/launchpad/per-series-signing-keys into lp:launchpad.
=== modified file 'lib/lp/archivepublisher/signing.py'
--- lib/lp/archivepublisher/signing.py 2019-08-27 09:40:34 +0000
+++ lib/lp/archivepublisher/signing.py 2019-08-27 15:56:13 +0000
@@ -82,20 +82,24 @@
self.package, self.version, self.arch = self.parsePath(
tarfile_path)
- def getSeriesPath(self, pubconf, key_name, archive):
+ def getSeriesPath(self, pubconf, key_name, archive, signing_for):
"""Find the key path for a given series.
Will iterate the series list backwards until either one exists,
or we reach the key at the filesystem root.
"""
+ found = False
for series in archive.distribution.series:
- path = os.path.join(
- pubconf.signingroot,
- series.name,
- key_name
- )
- if os.path.exists(path):
- return path
+ if series.name == signing_for:
+ found = True
+ if found:
+ path = os.path.join(
+ pubconf.signingroot,
+ series.name,
+ key_name
+ )
+ if os.path.exists(path):
+ return path
# If we have exhausted all available series, return the root
return os.path.join(pubconf.signingroot, key_name)
@@ -118,26 +122,37 @@
self.fit_cert = None
self.autokey = False
else:
- self.uefi_key = self.getSeriesPath(pubconf, "uefi.key", archive)
- self.uefi_cert = self.getSeriesPath(pubconf, "uefi.crt", archive)
- self.kmod_pem = self.getSeriesPath(pubconf, "kmod.pem", archive)
- self.kmod_x509 = self.getSeriesPath(pubconf, "kmod.x509", archive)
- self.opal_pem = self.getSeriesPath(pubconf, "opal.pem", archive)
- self.opal_x509 = self.getSeriesPath(pubconf, "opal.x509", archive)
- self.sipl_pem = self.getSeriesPath(pubconf, "sipl.pem", archive)
- self.sipl_x509 = self.getSeriesPath(pubconf, "sipl.x509", archive)
+ signing_for = suite.split('-')[0]
+ self.uefi_key = self.getSeriesPath(
+ pubconf, "uefi.key", archive, signing_for)
+ self.uefi_cert = self.getSeriesPath(
+ pubconf, "uefi.crt", archive, signing_for)
+ self.kmod_pem = self.getSeriesPath(
+ pubconf, "kmod.pem", archive, signing_for)
+ self.kmod_x509 = self.getSeriesPath(
+ pubconf, "kmod.x509", archive, signing_for)
+ self.opal_pem = self.getSeriesPath(
+ pubconf, "opal.pem", archive, signing_for)
+ self.opal_x509 = self.getSeriesPath(
+ pubconf, "opal.x509", archive, signing_for)
+ self.sipl_pem = self.getSeriesPath(
+ pubconf, "sipl.pem", archive, signing_for)
+ self.sipl_x509 = self.getSeriesPath(
+ pubconf, "sipl.x509", archive, signing_for)
# Note: the signature tool allows a collection of keys and takes
# a directory name with all valid keys. Avoid mixing the
# other signing types' keys with the fit keys.
self.fit_key = self.getSeriesPath(
pubconf,
os.path.join("fit", "fit.key"),
- archive
+ archive,
+ signing_for
)
self.fit_cert = self.getSeriesPath(
pubconf,
os.path.join("fit", "fit.crt"),
- archive
+ archive,
+ signing_for
)
self.autokey = pubconf.signingautokey
=== modified file 'lib/lp/archivepublisher/tests/test_signing.py'
--- lib/lp/archivepublisher/tests/test_signing.py 2019-08-27 09:40:34 +0000
+++ lib/lp/archivepublisher/tests/test_signing.py 2019-08-27 15:56:13 +0000
@@ -979,13 +979,14 @@
This should fall through to the first series,
as the second does not have keys.
"""
+ self.suite = "nokeys-distroseries"
first_series = self.factory.makeDistroSeries(
self.distro,
- name="existing-keys"
+ name="existingkeys"
)
self.factory.makeDistroSeries(
self.distro,
- name="no-keys"
+ name="nokeys"
)
# Each image in the tarball is signed.
self.setUpUefiKeys()
@@ -997,7 +998,7 @@
self.assertContentEqual(expected_callers, upload.callLog.caller_list())
# Check the correct series name appears in the call arguments
self.assertIn(
- "existing-keys",
+ "existingkeys",
upload.callLog.extract_args()[0][1][2])
def test_signs_fit_image(self):
@@ -1385,7 +1386,7 @@
upload = SigningUpload()
config = getPubConfig(self.archive)
result = upload.getSeriesPath(
- config, 'key.key', self.archive)
+ config, 'key.key', self.archive, 'notaseries')
expected_path = os.path.join(config.signingroot, 'key.key')
self.assertEqual(expected_path, result)
@@ -1395,7 +1396,7 @@
upload = SigningUpload()
config = getPubConfig(self.archive)
result = upload.getSeriesPath(
- config, "uefi.key", self.archive)
+ config, "uefi.key", self.archive, "newdistroseries")
expected_path = os.path.join(config.signingroot, "uefi.key")
self.assertEqual(expected_path, result)
@@ -1406,7 +1407,7 @@
upload = SigningUpload()
config = getPubConfig(self.archive)
result = upload.getSeriesPath(
- config, "uefi.key", self.archive)
+ config, "uefi.key", self.archive, "newdistroseries")
expected_path = os.path.join(
config.signingroot,
"newdistroseries",
@@ -1424,7 +1425,7 @@
upload = SigningUpload()
config = getPubConfig(self.archive)
result = upload.getSeriesPath(
- config, "uefi.key", self.archive)
+ config, "uefi.key", self.archive, "seconddistroseries")
expected_path = os.path.join(
config.signingroot,
"seconddistroseries",
@@ -1440,7 +1441,7 @@
upload = SigningUpload()
config = getPubConfig(self.archive)
result = upload.getSeriesPath(
- config, "uefi.key", self.archive)
+ config, "uefi.key", self.archive, "seconddistroseries")
expected_path = os.path.join(
config.signingroot,
"newdistroseries",
Follow ups
