From 72ee6e077c4c5c93dfc5460430a862ebf445e54e Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 9 Sep 2024 10:09:03 +0200
Subject: [PATCH 1/5] ensure things are properly signed before uploading to
 stage

---
 upload_stage_rpms |  4 ++++
 verify_stage_sigs | 28 ++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100755 verify_stage_sigs

diff --git a/upload_stage_rpms b/upload_stage_rpms
index 050a754..3ad1a37 100755
--- a/upload_stage_rpms
+++ b/upload_stage_rpms
@@ -5,4 +5,8 @@
 USER='yumrepostage'
 HOST='web01.osuosl.theforeman.org'
 
+if [[ "${VERSION}" != "nightly" ]]; then
+  ./verify_stage_sigs
+fi
+
 rsync --checksum --times --perms --recursive --links --verbose --partial --one-file-system --delete-after "tmp/$PROJECT/$VERSION/" "$USER@$HOST:rsync_cache/$PROJECT/$VERSION/"
diff --git a/verify_stage_sigs b/verify_stage_sigs
new file mode 100755
index 0000000..8d36312
--- /dev/null
+++ b/verify_stage_sigs
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+. settings
+
+ARCHES="x86_64 source"
+
+EXIT_CODE=0
+
+for os in $OSES; do
+  BASE="tmp/$PROJECT/$VERSION/$os"
+
+  for arch in $ARCHES; do
+    UNSIGNED_RPMS=$(./list_unsigned_rpms "$BASE/$arch" "$HALFGPGKEY")
+
+    if [[ -n "$UNSIGNED_RPMS" ]]; then
+      echo "$UNSIGNED_RPMS"
+      EXIT_CODE=1
+    fi
+  done
+done
+
+if [[ "${EXIT_CODE}" != "0" ]]; then
+  echo "RPMs not signed with ${HALFGPGKEY} found, aborting"
+fi
+
+exit ${EXIT_CODE}

From 272fba57bbb606223778e3d1c076b4bd280bef25 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 9 Sep 2024 12:13:35 +0200
Subject: [PATCH 2/5] move ARCHES to settings

---
 settings          | 1 +
 sign_stage_rpms   | 2 --
 verify_stage_sigs | 2 --
 3 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/settings b/settings
index fd06403..9890722 100644
--- a/settings
+++ b/settings
@@ -45,6 +45,7 @@ fi
 SIGNER="packages@theforeman.org"
 SIGNER_NAME="Foreman Automatic Signing Key"
 OSES=""
+ARCHES="x86_64 source"
 RPMDIR="$RELEASEDIR/rpms"
 KEYDIR="$RELEASEDIR/gnupg"
 GNUPGHOME="$KEYDIR"
diff --git a/sign_stage_rpms b/sign_stage_rpms
index 0fd3149..7354de8 100755
--- a/sign_stage_rpms
+++ b/sign_stage_rpms
@@ -4,8 +4,6 @@ set -e
 
 . settings
 
-ARCHES="x86_64 source"
-
 for os in $OSES; do
   BASE="tmp/$PROJECT/$VERSION/$os"
 
diff --git a/verify_stage_sigs b/verify_stage_sigs
index 8d36312..a164637 100755
--- a/verify_stage_sigs
+++ b/verify_stage_sigs
@@ -4,8 +4,6 @@ set -e
 
 . settings
 
-ARCHES="x86_64 source"
-
 EXIT_CODE=0
 
 for os in $OSES; do

From 076dc25a2ad8c2dbcbddc35c0dddeb03bf3fa90f Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 9 Sep 2024 12:24:04 +0200
Subject: [PATCH 3/5] move stage local base to a setting

---
 settings          | 1 +
 sign_stage_rpms   | 6 ++----
 upload_stage_rpms | 2 +-
 verify_stage_sigs | 4 +---
 4 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/settings b/settings
index 9890722..272b8ea 100644
--- a/settings
+++ b/settings
@@ -68,6 +68,7 @@ TAR_PROJECTS=""
 RPM_PACKAGES=()
 PACKAGING_PR=${PACKAGING_PR:-true}
 GPG_EXPIRE="1y"
+STAGE_LOCAL_BASE="tmp/$PROJECT/$VERSION"
 
 load_settings
 
diff --git a/sign_stage_rpms b/sign_stage_rpms
index 7354de8..5aa3fb1 100755
--- a/sign_stage_rpms
+++ b/sign_stage_rpms
@@ -5,14 +5,12 @@ set -e
 . settings
 
 for os in $OSES; do
-  BASE="tmp/$PROJECT/$VERSION/$os"
-
   for arch in $ARCHES; do
-    UNSIGNED_RPMS=$(./list_unsigned_rpms "$BASE/$arch" "$HALFGPGKEY")
+    UNSIGNED_RPMS=$(./list_unsigned_rpms "$STAGE_LOCAL_BASE/$os/$arch" "$HALFGPGKEY")
 
     if [[ -n "$UNSIGNED_RPMS" ]]; then
       echo "$UNSIGNED_RPMS" | xargs ./sign_rpms
-      createrepo_c --general-compress-type gz --database --update "$BASE/$arch"
+      createrepo_c --general-compress-type gz --database --update "$STAGE_LOCAL_BASE/$os/$arch"
     fi
   done
 done
diff --git a/upload_stage_rpms b/upload_stage_rpms
index 3ad1a37..333c9ba 100755
--- a/upload_stage_rpms
+++ b/upload_stage_rpms
@@ -9,4 +9,4 @@ if [[ "${VERSION}" != "nightly" ]]; then
   ./verify_stage_sigs
 fi
 
-rsync --checksum --times --perms --recursive --links --verbose --partial --one-file-system --delete-after "tmp/$PROJECT/$VERSION/" "$USER@$HOST:rsync_cache/$PROJECT/$VERSION/"
+rsync --checksum --times --perms --recursive --links --verbose --partial --one-file-system --delete-after "${STAGE_LOCAL_BASE}/" "$USER@$HOST:rsync_cache/$PROJECT/$VERSION/"
diff --git a/verify_stage_sigs b/verify_stage_sigs
index a164637..bb1afb1 100755
--- a/verify_stage_sigs
+++ b/verify_stage_sigs
@@ -7,10 +7,8 @@ set -e
 EXIT_CODE=0
 
 for os in $OSES; do
-  BASE="tmp/$PROJECT/$VERSION/$os"
-
   for arch in $ARCHES; do
-    UNSIGNED_RPMS=$(./list_unsigned_rpms "$BASE/$arch" "$HALFGPGKEY")
+    UNSIGNED_RPMS=$(./list_unsigned_rpms "$STAGE_LOCAL_BASE/$os/$arch" "$HALFGPGKEY")
 
     if [[ -n "$UNSIGNED_RPMS" ]]; then
       echo "$UNSIGNED_RPMS"

From 5773a8f196cd0ad2594d12fb103aa7a935b86353 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 9 Sep 2024 12:58:44 +0200
Subject: [PATCH 4/5] check everything that has a key

---
 upload_stage_rpms | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/upload_stage_rpms b/upload_stage_rpms
index 333c9ba..985437b 100755
--- a/upload_stage_rpms
+++ b/upload_stage_rpms
@@ -5,7 +5,7 @@
 USER='yumrepostage'
 HOST='web01.osuosl.theforeman.org'
 
-if [[ "${VERSION}" != "nightly" ]]; then
+if [[ -n  "${FULLGPGKEY}" ]]; then
   ./verify_stage_sigs
 fi
 

From 8f5db8714a69e05e4eac2b5562ba3316c960b800 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Mon, 9 Sep 2024 13:01:13 +0200
Subject: [PATCH 5/5] always run verify

---
 upload_stage_rpms | 4 +---
 verify_stage_sigs | 5 +++++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/upload_stage_rpms b/upload_stage_rpms
index 985437b..0d114e2 100755
--- a/upload_stage_rpms
+++ b/upload_stage_rpms
@@ -5,8 +5,6 @@
 USER='yumrepostage'
 HOST='web01.osuosl.theforeman.org'
 
-if [[ -n  "${FULLGPGKEY}" ]]; then
-  ./verify_stage_sigs
-fi
+./verify_stage_sigs
 
 rsync --checksum --times --perms --recursive --links --verbose --partial --one-file-system --delete-after "${STAGE_LOCAL_BASE}/" "$USER@$HOST:rsync_cache/$PROJECT/$VERSION/"
diff --git a/verify_stage_sigs b/verify_stage_sigs
index bb1afb1..d2b98b1 100755
--- a/verify_stage_sigs
+++ b/verify_stage_sigs
@@ -4,6 +4,11 @@ set -e
 
 . settings
 
+if [[ -z "${FULLGPGKEY}" ]]; then
+  echo "No signing configured."
+  exit 0
+fi
+
 EXIT_CODE=0
 
 for os in $OSES; do