PR#2320: use sha256 for all chroots - copr/copr

copr / copr

#2320 use sha256 for all chroots

Merged 2 years ago by praiskup. Opened 2 years ago by praiskup.

Unknown source sha256-finalize into main

backend: sign everything EPEL-5+ with sha256

Pavel Raiskup • 2 years ago

2ca30cb

backend: better detect centos-stream version

Pavel Raiskup • 2 years ago

5bef35a

backend/copr_backend/sign.py

file modified

+6 -6

		`@@ -108,23 +108,23 @@`

		`parts = chroot.split("-")`

		`+ version_part = parts[-2]`
		`+`
		`if opts.gently_gpg_sha256:`
		`# For a few weeks we would use the sha256 hash type only for EL8+.`
		`# This is a safety belt, in case of any failure we'll just re-sign`
		`# epel-8+ and not _all_ the package data on backend.`
		`if parts[0] in el_chroots:`
		`- el_version = parts[1]`
		`- if el_version == "stream":`
		`- el_version = parts[2]`
		`+ el_version = version_part`
		`if version.parse(el_version) > version.parse("7"):`
		`return "sha256"`
		`return "sha1"`

		`if parts[0] in el_chroots:`
		`- chroot_version = parts[1]`
		`- if chroot_version in ["rawhide", "stream"]:`
		`+ chroot_version = version_part`
		`+ if chroot_version in ["rawhide"]:`
		`return "sha256"`
		`- if version.parse(chroot_version) <= version.parse("7"):`
		`+ if version.parse(chroot_version) <= version.parse("4"):`
		`return "sha1"`
		`if parts[0] == "fedora" and parts[1].isnumeric():`
		`# Fedora 27 moved to RPM v2.14 with the OpenSSL backend.`

backend/tests/test_sign.py

file modified

+6 -4

		`@@ -310,18 +310,20 @@`
		`("fedora-rawhide-x86_64", "sha256"),`
		`("mageia-8-x86_64", "sha256"),`
		`("opensuse-tumbleweed-aarch64", "sha256"),`
		`- ("epel-7-ppc64", "sha1"),`
		`- ("centos-7.dev-aarch64", "sha1"),`
		`+ ("epel-7-ppc64", "sha256"),`
		`+ ("centos-7.dev-aarch64", "sha256"),`
		`("epel-8-aarch64", "sha256"),`
		`("rhel-8.dev-ppc64le", "sha256"),`
		`("oraclelinux-9-s390x", "sha256"),`
		`("centos-stream-8-s390x", "sha256"),`
		`("centos-stream-9-s390x", "sha256"),`
		`("rhel-rawhide-s390x", "sha256"),`
		`- # we don't expect stream 7 will ever exist, otherwise we'll have to`
		`- # check for sha1 here`
		`+ # we don't expect stream 7 will ever exist`
		`("centos-stream-7-aarch64", "sha256"),`
		`("srpm-builds", "sha256"),`
		`+ ("epel-4-s390x", "sha1"),`
		`+ ("epel-5-s390x", "sha256"),`
		`+ ("centos-stream+epel-next-9-aarch64", "sha256"),`
		`]`

		`opts = Munch()`

no initial comment

zuul commented 2 years ago

Build succeeded.

csdiff-pylint : SUCCESS in 1m 04s

2 new commits added

backend: sign everything EPEL-5+ with sha256
backend: better detect centos-stream version

2 years ago

zuul commented 2 years ago

Build succeeded.

csdiff-pylint : SUCCESS in 1m 02s

praiskup commented 2 years ago

I'd prefer to apply this in production to unblock the centos-stream+epel-next-9 chroots... wdyt?

rebased onto 49f7cdc3d7e607337b8dba2bbedf1329b14b40ff

2 years ago

zuul commented 2 years ago

Build succeeded.

csdiff-pylint : SUCCESS in 1m 01s

praiskup commented 2 years ago

Resign can be done by:

cd /var/lib/copr/public_html/results
find -maxdepth 3 -type d -name 'centos-stream+epel-next-9-*' | cut -d/ -f2,3 | sort | uniq > /tmp/projects
/usr/bin/copr_fix_gpg.py /tmp/projects --chroot centos-stream+epel-next-9

frostyx commented 2 years ago

LGTM

I'd prefer to apply this in production to unblock the centos-stream+epel-next-9 chroots... wdyt?

Sounds like a good idea

mrc0mmand commented 2 years ago

I'd prefer to apply this in production to unblock the centos-stream+epel-next-9 chroots... wdyt?

Does this affect only centos-stream+epel-next-9 chroots or centos-stream-9 as well?

From a project configuration page:

centos-stream+epel-next-9-aarch64
centos-stream+epel-next-9-ppc64le
centos-stream+epel-next-9-s390x
centos-stream+epel-next-9-x86_64
centos-stream-9-aarch64
centos-stream-9-ppc64le
centos-stream-9-s390x
centos-stream-9-x86_64

(I'm not sure about the "plain" epel-9-xxx chroots, if they're not already an alias to the chroots above.)

praiskup commented 2 years ago