def generateKey(self, archive):
"""Generate a signing key for the given archive."""
self.logger.info("Generating signing key for %s (%s)" %
(archive.reference, archive.displayname))
archive_signing_key = IArchiveSigningKey(archive)
archive_signing_key.generateSigningKey()
self.logger.info("Key %s" % archive.signing_key.fingerprint)
def testForPrivatePPA(self):
"""Run publish-distro in private PPA mode.
It should only publish private PPAs.
"""
# First, we'll make a private PPA and populate it with a
# publishing record.
ubuntutest = getUtility(IDistributionSet)['ubuntutest']
private_ppa = self.factory.makeArchive(private=True,
distribution=ubuntutest)
# Publish something to the private PPA:
pub_source = self.getPubSource(sourcename='baz',
filecontent='baz',
archive=private_ppa)
self.layer.txn.commit()
self.setUpRequireSigningKeys()
yield self.useFixture(InProcessKeyServerFixture()).start()
key_path = os.path.join(gpgkeysdir, '*****@*****.**')
yield IArchiveSigningKey(private_ppa).setSigningKey(
key_path, async_keyserver=True)
# Try a plain PPA run, to ensure the private one is NOT published.
self.runPublishDistro(['--ppa'])
pub_source.sync()
self.assertEqual(pub_source.status, PackagePublishingStatus.PENDING)
# Now publish the private PPAs and make sure they are really
# published.
self.runPublishDistro(['--private-ppa'])
pub_source.sync()
self.assertEqual(pub_source.status, PackagePublishingStatus.PUBLISHED)
def testForPPA(self):
"""Try to run publish-distro in PPA mode.
It should deal only with PPA publications.
"""
pub_source = self.getPubSource(filecontent='foo')
cprov = getUtility(IPersonSet).getByName('cprov')
pub_source2 = self.getPubSource(sourcename='baz',
filecontent='baz',
archive=cprov.archive)
ubuntutest = getUtility(IDistributionSet)['ubuntutest']
name16 = getUtility(IPersonSet).getByName('name16')
getUtility(IArchiveSet).new(purpose=ArchivePurpose.PPA,
owner=name16,
distribution=ubuntutest)
pub_source3 = self.getPubSource(sourcename='bar',
filecontent='bar',
archive=name16.archive)
# Override PPAs distributions
naked_archive = removeSecurityProxy(cprov.archive)
naked_archive.distribution = self.ubuntutest
naked_archive = removeSecurityProxy(name16.archive)
naked_archive.distribution = self.ubuntutest
self.setUpRequireSigningKeys()
yield self.useFixture(InProcessKeyServerFixture()).start()
key_path = os.path.join(gpgkeysdir, '*****@*****.**')
yield IArchiveSigningKey(cprov.archive).setSigningKey(
key_path, async_keyserver=True)
name16.archive.signing_key_owner = cprov.archive.signing_key_owner
name16.archive.signing_key_fingerprint = (
cprov.archive.signing_key_fingerprint)
self.layer.txn.commit()
self.runPublishDistro(['--ppa'])
pub_source.sync()
pub_source2.sync()
pub_source3.sync()
self.assertEqual(pub_source.status, PackagePublishingStatus.PENDING)
self.assertEqual(pub_source2.status, PackagePublishingStatus.PUBLISHED)
self.assertEqual(pub_source3.status, PackagePublishingStatus.PUBLISHED)
foo_path = "%s/main/f/foo/foo_666.dsc" % self.pool_dir
self.assertEqual(False, os.path.exists(foo_path))
baz_path = os.path.join(config.personalpackagearchive.root, cprov.name,
'ppa/ubuntutest/pool/main/b/baz/baz_666.dsc')
self.assertEqual('baz', open(baz_path).read().strip())
bar_path = os.path.join(config.personalpackagearchive.root,
name16.name,
'ppa/ubuntutest/pool/main/b/bar/bar_666.dsc')
self.assertEqual('bar', open(bar_path).read().strip())
def makeArchive(self, signing_key_name="*****@*****.**",
publish_binary=False, **kwargs):
try:
getattr(config, "in-process-key-server-fixture")
except AttributeError:
yield self.useFixture(InProcessKeyServerFixture()).start()
archive = self.factory.makeArchive(distribution=self.ubuntu, **kwargs)
if signing_key_name is not None:
key_path = os.path.join(gpgkeysdir, "%s.sec" % signing_key_name)
yield IArchiveSigningKey(archive).setSigningKey(
key_path, async_keyserver=True)
if publish_binary:
self.publisher.getPubBinaries(
archive=archive, status=PackagePublishingStatus.PUBLISHED)
defer.returnValue(archive)
def test_extraBuildArgs_archive_trusted_keys(self):
# If the archive has a signing key, extraBuildArgs sends it.
yield self.useFixture(InProcessKeyServerFixture()).start()
archive = self.factory.makeArchive()
key_path = os.path.join(gpgkeysdir, "*****@*****.**")
yield IArchiveSigningKey(archive).setSigningKey(
key_path, async_keyserver=True)
job = self.makeJob(archive=archive, with_builder=True)
distroarchseries = job.build.distroseries.architectures[0]
self.factory.makeBinaryPackagePublishingHistory(
distroarchseries=distroarchseries, pocket=job.build.pocket,
archive=archive, status=PackagePublishingStatus.PUBLISHED)
args = yield job.extraBuildArgs()
self.assertThat(args["trusted_keys"], MatchesListwise([
Base64KeyMatches("0D57E99656BEFB0897606EE9A022DD1F5001B46D"),
]))
def setUp(self):
super(TestSignableArchiveWithSigningKey, self).setUp()
self.temp_dir = self.makeTemporaryDirectory()
self.distro = self.factory.makeDistribution()
db_pubconf = getUtility(IPublisherConfigSet).getByDistribution(
self.distro)
db_pubconf.root_dir = unicode(self.temp_dir)
self.archive = self.factory.makeArchive(distribution=self.distro,
purpose=ArchivePurpose.PRIMARY)
self.archive_root = getPubConfig(self.archive).archiveroot
self.suite = "distroseries"
with InProcessKeyServerFixture() as keyserver:
yield keyserver.start()
key_path = os.path.join(gpgkeysdir, '*****@*****.**')
yield IArchiveSigningKey(self.archive).setSigningKey(
key_path, async_keyserver=True)
def test_sign_with_signing_key(self):
filename = os.path.join(getPubConfig(self.archive).archiveroot, "file")
write_file(filename, "contents")
self.assertIsNone(self.archive.signing_key)
self.useFixture(InProcessKeyServerFixture()).start()
key_path = os.path.join(gpgkeysdir, '*****@*****.**')
yield IArchiveSigningKey(self.archive).setSigningKey(
key_path, async_keyserver=True)
self.assertIsNotNone(self.archive.signing_key)
custom_processor = CustomUpload()
custom_processor.sign(self.archive, "suite", filename)
with open(filename) as cleartext_file:
cleartext = cleartext_file.read()
with open("%s.gpg" % filename) as signature_file:
signature = getUtility(IGPGHandler).getVerifiedSignature(
cleartext, signature_file.read())
self.assertEqual(self.archive.signing_key.fingerprint,
signature.fingerprint)
def generateSigningKey(self):
"""See `IArchiveSigningKey`."""
assert self.archive.signing_key is None, (
"Cannot override signing_keys.")
# Always generate signing keys for the default PPA, even if it
# was not expecifically requested. The default PPA signing key
# is then propagated to the context named-ppa.
default_ppa = self.archive.owner.archive
if self.archive != default_ppa:
if default_ppa.signing_key is None:
IArchiveSigningKey(default_ppa).generateSigningKey()
self.archive.signing_key = default_ppa.signing_key
return
key_displayname = (
"Launchpad PPA for %s" % self.archive.owner.displayname)
secret_key = getUtility(IGPGHandler).generateKey(key_displayname)
self._setupSigningKey(secret_key)
def testCarefulRelease(self):
"""publish-distro can be asked to just rewrite Release files."""
archive = self.factory.makeArchive(distribution=self.ubuntutest)
pub_source = self.getPubSource(filecontent='foo', archive=archive)
self.setUpRequireSigningKeys()
yield self.useFixture(InProcessKeyServerFixture()).start()
key_path = os.path.join(gpgkeysdir, '*****@*****.**')
yield IArchiveSigningKey(archive).setSigningKey(key_path,
async_keyserver=True)
self.layer.txn.commit()
self.runPublishDistro(['--ppa'])
pub_source.sync()
self.assertEqual(PackagePublishingStatus.PUBLISHED, pub_source.status)
dists_path = getPubConfig(archive).distsroot
hoary_inrelease_path = os.path.join(dists_path, 'hoary-test',
'InRelease')
breezy_inrelease_path = os.path.join(dists_path, 'breezy-autotest',
'InRelease')
self.assertThat(hoary_inrelease_path, Not(PathExists()))
os.unlink(breezy_inrelease_path)
self.runPublishDistro(['--ppa', '--careful-release'])
self.assertThat(hoary_inrelease_path, Not(PathExists()))
self.assertThat(breezy_inrelease_path, Not(PathExists()))
self.runPublishDistro([
'--ppa',
'--careful-release',
'--include-non-pending',
'--disable-publishing',
'--disable-domination',
'--disable-apt',
])
# hoary-test never had indexes created, so is untouched.
self.assertThat(hoary_inrelease_path, Not(PathExists()))
# breezy-autotest has its Release files rewritten.
self.assertThat(breezy_inrelease_path, PathExists())
def test_extraBuildArgs_archive_trusted_keys(self):
# If the archive has a signing key, extraBuildArgs sends it.
yield self.useFixture(InProcessKeyServerFixture()).start()
archive = self.factory.makeArchive()
builder = self.factory.makeBuilder()
key_path = os.path.join(gpgkeysdir, "*****@*****.**")
yield IArchiveSigningKey(archive).setSigningKey(key_path,
async_keyserver=True)
build = self.factory.makeBinaryPackageBuild(archive=archive)
self.factory.makeBinaryPackagePublishingHistory(
distroarchseries=build.distro_arch_series,
pocket=build.pocket,
archive=archive,
status=PackagePublishingStatus.PUBLISHED)
behaviour = IBuildFarmJobBehaviour(build)
behaviour.setBuilder(builder, None)
args = yield behaviour.extraBuildArgs()
self.assertThat(
args["trusted_keys"],
MatchesListwise([
Base64KeyMatches("0D57E99656BEFB0897606EE9A022DD1F5001B46D"),
]))
def _writeSuite(self, distroseries, pocket):
"""Write out the Release files for the provided suite."""
# XXX: kiko 2006-08-24: Untested method.
# As we generate file lists for apt-ftparchive we record which
# distroseriess and so on we need to generate Release files for.
# We store this in release_files_needed and consume the information
# when writeReleaseFiles is called.
if (distroseries.name, pocket) not in self.release_files_needed:
# If we don't need to generate a release for this release
# and pocket, don't!
return
all_components = [
comp.name for comp in
self.archive.getComponentsForSeries(distroseries)]
all_architectures = [
a.architecturetag for a in distroseries.enabled_architectures]
all_files = set()
for component in all_components:
self._writeSuiteSource(
distroseries, pocket, component, all_files)
for architecture in all_architectures:
self._writeSuiteArch(
distroseries, pocket, component, architecture, all_files)
self._writeSuiteI18n(
distroseries, pocket, component, all_files)
drsummary = "%s %s " % (self.distro.displayname,
distroseries.displayname)
if pocket == PackagePublishingPocket.RELEASE:
drsummary += distroseries.version
else:
drsummary += pocket.name.capitalize()
suite = distroseries.getSuite(pocket)
release_file = Release()
release_file["Origin"] = self._getOrigin()
release_file["Label"] = self._getLabel()
release_file["Suite"] = suite
release_file["Version"] = distroseries.version
release_file["Codename"] = distroseries.name
release_file["Date"] = datetime.utcnow().strftime(
"%a, %d %b %Y %k:%M:%S UTC")
release_file["Architectures"] = " ".join(sorted(all_architectures))
release_file["Components"] = " ".join(
reorder_components(all_components))
release_file["Description"] = drsummary
if (pocket == PackagePublishingPocket.BACKPORTS and
distroseries.backports_not_automatic):
release_file["NotAutomatic"] = "yes"
release_file["ButAutomaticUpgrades"] = "yes"
for filename in sorted(all_files, key=os.path.dirname):
entry = self._readIndexFileContents(suite, filename)
if entry is None:
continue
release_file.setdefault("MD5Sum", []).append({
"md5sum": hashlib.md5(entry).hexdigest(),
"name": filename,
"size": len(entry)})
release_file.setdefault("SHA1", []).append({
"sha1": hashlib.sha1(entry).hexdigest(),
"name": filename,
"size": len(entry)})
release_file.setdefault("SHA256", []).append({
"sha256": hashlib.sha256(entry).hexdigest(),
"name": filename,
"size": len(entry)})
self._writeReleaseFile(suite, release_file)
all_files.add("Release")
# Skip signature if the archive signing key is undefined.
if self.archive.signing_key is None:
self.log.debug("No signing key available, skipping signature.")
return
# Sign the repository.
archive_signer = IArchiveSigningKey(self.archive)
archive_signer.signRepository(suite)
all_files.add("Release.gpg")
# Make sure all the timestamps match, to make it easier to insert
# caching headers on mirrors.
self._syncTimestamps(suite, all_files)
def setUpArchiveKey(self):
with InProcessKeyServerFixture() as keyserver:
yield keyserver.start()
key_path = os.path.join(gpgkeysdir, '*****@*****.**')
yield IArchiveSigningKey(self.archive).setSigningKey(
key_path, async_keyserver=True)
