From 4a4f149ecf5a037eb02a6af3a6e4390de7e8ed2a Mon Sep 17 00:00:00 2001
From: Mark Hymers <mhy@debian.org>
Date: Sat, 26 Mar 2011 09:57:14 +0000
Subject: [PATCH] Allow per-suite signing keys

Signed-off-by: Mark Hymers <mhy@debian.org>
---
 dak/dakdb/update57.py    | 49 ++++++++++++++++++++++++++++++++++++++++
 dak/generate_releases.py | 22 ++++++++++--------
 dak/update_db.py         |  2 +-
 daklib/config.py         |  1 -
 4 files changed, 62 insertions(+), 12 deletions(-)
 create mode 100755 dak/dakdb/update57.py

diff --git a/dak/dakdb/update57.py b/dak/dakdb/update57.py
new file mode 100755
index 00000000..45a37dc6
--- /dev/null
+++ b/dak/dakdb/update57.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# coding=utf8
+
+"""
+Allow per-suite signing keys
+
+@contact: Debian FTP Master <ftpmaster@debian.org>
+@copyright: 2011 Mark Hymers <mhy@debian.org>
+@license: GNU General Public License version 2 or later
+"""
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+################################################################################
+
+import psycopg2
+from daklib.dak_exceptions import DBUpdateError
+
+################################################################################
+def do_update(self):
+    """
+    Allow per-suite signing keys
+    """
+    print __doc__
+    try:
+        c = self.db.cursor()
+
+        c.execute("""ALTER TABLE suite ADD COLUMN signingkeys TEXT[]""")
+        c.execute("""UPDATE suite SET signingkeys = signingkeys || (SELECT value FROM config WHERE name = 'signingkeyids')""")
+        c.execute("""DELETE FROM config WHERE name = 'signingkeyids'""")
+
+        c.execute("UPDATE config SET value = '57' WHERE name = 'db_revision'")
+        self.db.commit()
+
+    except psycopg2.ProgrammingError, msg:
+        self.db.rollback()
+        raise DBUpdateError, 'Unable to apply sick update 57, rollback issued. Error message : %s' % (str(msg))
diff --git a/dak/generate_releases.py b/dak/generate_releases.py
index b21f30a5..6dbcdea5 100755
--- a/dak/generate_releases.py
+++ b/dak/generate_releases.py
@@ -79,7 +79,7 @@ def get_result(arg):
     if arg:
         results.append(arg)
 
-def sign_release_dir(dirname):
+def sign_release_dir(suite, dirname):
     cnf = Config()
 
     if cnf.has_key("Dinstall::SigningKeyring"):
@@ -88,7 +88,6 @@ def sign_release_dir(dirname):
             keyring += " --keyring \"%s\"" % cnf["Dinstall::SigningPubKeyring"]
 
         arguments = "--no-options --batch --no-tty --armour"
-        signkeyids = cnf.signingkeyids.split()
 
         relname = os.path.join(dirname, 'Release')
 
@@ -100,17 +99,20 @@ def sign_release_dir(dirname):
         if os.path.exists(inlinedest):
             os.unlink(inlinedest)
 
-        for keyid in signkeyids:
-            if keyid != "":
-                defkeyid = "--default-key %s" % keyid
-            else:
-                defkeyid = ""
+        # We can only use one key for inline signing so use the first one in
+        # the array for consistency
+        firstkey = False
+
+        for keyid in suite.signingkeyids:
+            defkeyid = "--default-key %s" % keyid
 
             os.system("gpg %s %s %s --detach-sign <%s >>%s" %
                     (keyring, defkeyid, arguments, relname, dest))
 
-            os.system("gpg %s %s %s --clearsign <%s >>%s" %
-                    (keyring, defkeyid, arguments, relname, inlinedest))
+            if firstkey:
+                os.system("gpg %s %s %s --clearsign <%s >>%s" %
+                        (keyring, defkeyid, arguments, relname, inlinedest))
+                firstkey = False
 
 class ReleaseWriter(object):
     def __init__(self, suite):
@@ -279,7 +281,7 @@ class ReleaseWriter(object):
 
         out.close()
 
-        sign_release_dir(os.path.dirname(outfile))
+        sign_release_dir(suite, os.path.dirname(outfile))
 
         os.chdir(oldcwd)
 
diff --git a/dak/update_db.py b/dak/update_db.py
index 88ff20f5..a0b091a5 100755
--- a/dak/update_db.py
+++ b/dak/update_db.py
@@ -46,7 +46,7 @@ from daklib.daklog import Logger
 ################################################################################
 
 Cnf = None
-required_database_schema = 54
+required_database_schema = 57
 
 ################################################################################
 
diff --git a/daklib/config.py b/daklib/config.py
index ed8cf1d0..dc90d49a 100755
--- a/daklib/config.py
+++ b/daklib/config.py
@@ -115,7 +115,6 @@ class Config(object):
         """
         for field in [('db_revision',      None,       int),
                       ('defaultsuitename', 'unstable', str),
-                      ('signingkeyids',    '',         str),
                       ('exportpath',       '',         str)
                       ]:
             setattr(self, 'get_%s' % field[0], lambda s=None, x=field[0], y=field[1], z=field[2]: self.get_db_value(x, y, z))
-- 
2.39.2