Add signature support for the RPM module (#27069)

close #27031 If the rpm package does not contain a matching gpg signature, the installation will fail. See (#27031) , now auto-signing rpm uploads. This option is turned off by default for compatibility.
2025-07-03 09:07:19 +00:00 · 2024-08-06 21:03:33 +08:00
parent 94cca8846e
commit de175e3b06
5 changed files with 82 additions and 5 deletions
--- a/tests/integration/api_packages_rpm_test.go
+++ b/tests/integration/api_packages_rpm_test.go
@ -24,7 +24,10 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/tests"

+	"github.com/ProtonMail/go-crypto/openpgp"
+	"github.com/sassoftware/go-rpmutils"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestPackageRpm(t *testing.T) {
@ -431,6 +434,30 @@ gpgkey=%sapi/packages/%s/rpm/repository.key`,
 					AddBasicAuth(user.Name)
 				MakeRequest(t, req, http.StatusNotFound)
 			})
+
+			t.Run("UploadSign", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				url := groupURL + "/upload?sign=true"
+				req := NewRequestWithBody(t, "PUT", url, bytes.NewReader(content)).
+					AddBasicAuth(user.Name)
+				MakeRequest(t, req, http.StatusCreated)
+
+				gpgReq := NewRequest(t, "GET", rootURL+"/repository.key")
+				gpgResp := MakeRequest(t, gpgReq, http.StatusOK)
+				pub, err := openpgp.ReadArmoredKeyRing(gpgResp.Body)
+				require.NoError(t, err)
+
+				req = NewRequest(t, "GET", fmt.Sprintf("%s/package/%s/%s/%s", groupURL, packageName, packageVersion, packageArchitecture))
+				resp := MakeRequest(t, req, http.StatusOK)
+
+				_, sigs, err := rpmutils.Verify(resp.Body, pub)
+				require.NoError(t, err)
+				require.NotEmpty(t, sigs)
+
+				req = NewRequest(t, "DELETE", fmt.Sprintf("%s/package/%s/%s/%s", groupURL, packageName, packageVersion, packageArchitecture)).
+					AddBasicAuth(user.Name)
+				MakeRequest(t, req, http.StatusNoContent)
+			})
 		})
 	}
 }