Sometimes we want to check qemu from a git tag, that allows us to verify whether the code we are downloading actually comes from the repository owner.
Introduce this support to our git helper. If for some reason this verification fails, be merciless and fail the entire build test. CC: Michael S. Tirskin <[email protected]> Signed-off-by: Lucas Meneghel Rodrigues <[email protected]> --- qemu/cfg/build.cfg | 9 +++++++++ virttest/build_helper.py | 39 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/qemu/cfg/build.cfg b/qemu/cfg/build.cfg index a5e5333..5fbd1af 100644 --- a/qemu/cfg/build.cfg +++ b/qemu/cfg/build.cfg @@ -42,6 +42,15 @@ variants: # use it to fetch object first from it, and then later from "upstream" # git_repo_qemu_base_uri = /home/user/code/qemu + + # QEMU installation from a GIT repo (signed tags) + #git_repo_qemu_uri = git://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git + #git_repo_qemu_configure_options = --target-list=x86_64-softmmu + #git_repo_qemu_tag = for_anthony + # If tag_signed is provided, then we will be strict and verify the + # tag. If the tag verification fails, the entire build test will fail. + #git_repo_qemu_tag_signed = pgp.mit.edu:AFBE8E67 + # SPICE installation from a GIT repo git_repo_spice_uri = git://anongit.freedesktop.org/spice/spice git_repo_spice_common_uri = git://anongit.freedesktop.org/spice/spice-common diff --git a/virttest/build_helper.py b/virttest/build_helper.py index 9e31779..2879908 100644 --- a/virttest/build_helper.py +++ b/virttest/build_helper.py @@ -69,6 +69,26 @@ class GitRepoParamHelper(git.GitRepoHelper): else: logging.debug('Git repo %s commit: %s' % (self.name, self.commit)) + self.tag = self.params.get('%s_tag' % config_prefix) + if self.tag is None: + logging.debug('Git repo %s tag is not set' % self.name) + else: + logging.debug('Git repo %s tag: %s' % (self.name, self.tag)) + + self.key_id = None + self.key_server = None + tag_signed = self.params.get('%s_tag_signed' % config_prefix) + if tag_signed is None: + logging.warning('Git repo %s tag is not signed' % self.name) + logging.warning('This means we will not verify if the key was ' + 'made by whomever claims to have made it ' + '(dangerous)') + else: + self.key_server, self.key_id = tag_signed.split(":") + logging.debug('Git repo %s tag %s was signed with GPG key ID %s ' + 'present on key server %s', self.name, self.tag, + self.key_id, self.key_server) + self.cmd = os_dep.command('git') self.recursive = self.params.get('%s_recursive', 'yes') @@ -76,12 +96,29 @@ class GitRepoParamHelper(git.GitRepoHelper): def execute(self): super(GitRepoParamHelper, self).execute() + cwd = os.path.curdir os.chdir(self.destination_dir) - utils.system('git remote add origin %s' % self.uri) + utils.system('git remote add origin %s' % self.uri, ignore_status=True) if self.recursive == 'yes': utils.system('git submodule init') utils.system('git submodule update') + + if self.tag: + utils.system('git checkout %s' % self.tag) + if self.key_server is not None and self.key_id is not None: + try: + logging.debug('Downloading GPG key ID %s from key server ' + '%s', self.key_id, self.key_server) + utils.system('gpg --batch --keyserver %s --recv-keys %s' % + (self.key_server, self.key_id)) + logging.debug('Verifying if tag is actually signed with ' + 'GPG key ID %s' % self.key_id) + utils.system('git tag -v %s' % self.tag) + except error.CmdError: + raise error.TestError("GPG signature check for git repo " + "%s failed" % self.name) + os.chdir(cwd) -- 1.8.3.1 _______________________________________________ Virt-test-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/virt-test-devel
