ci: output the hashes of all RPM packages without their signatures

cfm · cfm · commit cd7f7821f67a · 2025-02-27T15:57:05.000-08:00
This is a step towards automating the check of pre-signature reproducibility proposed by freedomofpress/securedrop-builder#418.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,3 +17,18 @@ jobs:
       - name: Verify the signatures of all rpm artifacts
         run: |
           ./scripts/check.py --verify --all
+
+  tests-fedora:
+    runs-on: ubuntu-latest
+    container: fedora:latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          lfs: true
+
+      # This step must run on Fedora until Debian has RPM >= 4.18.1 (per
+      # securedrop-workstation#846), at which time it can be merged into the
+      # main "tests" job.
+      - name: Output the hashes of all rpm artifacts without their signatures
+        run: |
+          ./scripts/check.py --check-unsigned --all
diff --git a/scripts/check.py b/scripts/check.py
@@ -11,8 +11,18 @@
 RPM_DIR = "workstation"
 
 
-def verify_sig_rpm(path):
+def check_unsigned_rpm(path):
+    subprocess.check_call(["rpm", "--delsign", path])
+    subprocess.check_call(["sha256sum", path])
+
+
+def check_unsigned_all_rpms():
+    for root, dirs, files in os.walk(RPM_DIR):
+        for name in files:
+            check_unsigned_rpm(os.path.join(root, name))
+
 
+def verify_sig_rpm(path):
     for key_path in [PROD_SIGNING_KEY_PATH, PROD_SIGNING_KEY_PATH_LEGACY]:
         try:
             subprocess.check_call(["rpmkeys", "--import", key_path])
@@ -63,6 +73,7 @@ def fail(msg):
 
 def main():
     parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--check-unsigned", action="store_true", default=False)
     parser.add_argument("--verify", action="store_true", default=True)
     parser.add_argument("--all", action="store_true", default=False)
     parser.add_argument("packages", type=str, nargs="*", help="Files to sign/verify")
@@ -74,7 +85,16 @@ def main():
     # Since we can't specify with which key to check sigs, we should clear the keyring
     remove_keys_in_rpm_keyring()
 
-    if args.verify:
+    if args.check_unsigned:
+        output = subprocess.check_call(["rpm", "--version"])
+        if args.all:
+            check_unsigned_all_rpms()
+        else:
+            for package in args.packages:
+                assert os.path.exists(package)
+                check_unsigned_rpm(package)
+
+    elif args.verify:
         if args.all:
             verify_all_rpms()
         else:
