Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1556

Timestamp:

05/21/12 03:46:31 (12 months ago)

Author:

bruno

Message:

pb: Use new pbgpgcheck option to control whether we enable gpgcheck in the repo script. Problem is that signing failure is tolerated, so the rpms can be unsigned, but gpgcheck is on by default. Preserve those semantics by default, but allow for control. (Eric Anderson)

pbgpgcheck is optional and default to 1 (Bruno Cornec)

Location:

devel

Files:

: 3 edited

pb-modules/etc/pb.conf.pod (modified) (1 diff)
pb-modules/lib/ProjectBuilder/Env.pm (modified) (1 diff)
pb/bin/pb (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

devel/pb-modules/etc/pb.conf.pod

r1545	r1556
477	477	Nature: Optional
478	478	Key: project (as defined in the -p option or PBPROJ environment variable)
479		Value: Whether the repository file should be generated specifying that gpg checking of the packages is on. Note that failures to sign packages is tolerated by default, which means that signatures can fail making the repository file generated not work. The default is to require gpg checks.
	479	Value: Whether the repository file should be generated specifying that gpg checking of the packages is on. Note that failures to sign packages is tolerated by default, which means that signatures can fail making the repository file generated not work. The default is to require gpg checks (value is 1)
480	480	Conffile: project
481	481	Example: pbgpgcheck Lintel = 0

devel/pb-modules/lib/ProjectBuilder/Env.pm

-                      r1555
+                      r1556
 #pbwf $ENV{'PBPROJ'} = 1
+# Do we check GPG keys
+#pbgpgcheck $ENV{'PBPROJ'} = 1
+#
 # Packager label

devel/pb/bin/pb

-                      r1555
+                      r1556
         if ($pbos->{'type'} eq "rpm") {
             my $pbsha = pb_distro_get_param($pbos,pb_conf_get("ossha"));
+            my $gpgcheck = pb_conf_get_if("pbgpgcheck");
+            my $pbgpgcheck;
+            $pbgpgcheck = $gpgcheck->{$ENV{PBPROJ}} if (defined $gpgcheck);
+            # By default force GPG check in repo even if we support signature of packages to fail. This is a best practice
+            $pbgpgcheck = 1 if (not defined $pbgpgcheck);
             # Also make a pbscript to generate yum/urpmi bases
             print PBS << "EOF";
 …
 baseurl=$pbrepo->{$ENV{'PBPROJ'}}/$repodir
 enabled=1
 gpgcheck=1
+gpgcheck=$pbgpgcheck
 gpgkey=$pbrepo->{$ENV{'PBPROJ'}}/$repodir/$ENV{'PBPROJ'}.pubkey
 EOT

Note: See TracChangeset for help on using the changeset viewer.