recheck signatures on already-built packages

2026-04-25 08:57:11 +02:00
parent c191c12237
commit 79bd4fbdc5
3 changed files with 36 additions and 8 deletions
--- a/config_dist.yaml
+++ b/config_dist.yaml
@@ -46,5 +46,10 @@ build:
 logging:
  level: INFO

+housekeeping:
+  # how long to wait between re-verifying package signatures of already-built packages
+  # accepts any time.ParseDuration string (e.g. "24h", "12h", "30m"), default: 24h
+  signature_recheck_interval: "24h"
+
 metrics:
  port: 9568
--- a/housekeeping.go
+++ b/housekeeping.go
@@ -13,6 +13,19 @@ import (
 	"time"
 )

+const defaultSigRecheckInterval = 24 * time.Hour
+
+func sigRecheckInterval() time.Duration {
+	if conf.Housekeeping.SignatureRecheckInterval == "" {
+		return defaultSigRecheckInterval
+	}
+	d, err := time.ParseDuration(conf.Housekeeping.SignatureRecheckInterval)
+	if err != nil {
+		return defaultSigRecheckInterval
+	}
+	return d
+}
+
 func housekeeping(ctx context.Context, repo, march string, wg *sync.WaitGroup) error {
 	defer wg.Done()
 	fullRepo := repo + "-" + march
@@ -98,21 +111,30 @@ func housekeeping(ctx context.Context, repo, march string, wg *sync.WaitGroup) e
 			continue
 		}

-		if pkg.DBPackage.LastVerified.Before(pkg.DBPackage.BuildTimeStart) {
-			err := pkg.DBPackage.Update().SetLastVerified(time.Now().UTC()).Exec(ctx)
-			if err != nil {
-				return err
-			}
-			// check if pkg signature is valid
+		needsSigRecheck := pkg.DBPackage.LastVerified.Before(pkg.DBPackage.BuildTimeStart) ||
+			time.Since(pkg.DBPackage.LastVerified) > sigRecheckInterval()
+
+		if needsSigRecheck {
 			valid, err := mPackage.HasValidSignature()
 			if err != nil {
 				return err
 			}
 			if !valid {
-				log.Infof("[HK] %s->%s invalid package signature", pkg.FullRepo, pkg.Pkgbase)
+				log.Infof("[HK] %s->%s invalid package signature, purging+requeue", pkg.FullRepo, pkg.Pkgbase)
+				pkg.DBPackage, err = pkg.DBPackage.Update().
+					SetStatus(dbpackage.StatusQueued).
+					ClearTagRev().
+					SetLastVerified(time.Now().UTC()).
+					Save(ctx)
+				if err != nil {
+					return err
+				}
 				buildManager.repoPurge[pkg.FullRepo] <- []*ProtoPackage{pkg}
 				continue
 			}
+			if err := pkg.DBPackage.Update().SetLastVerified(time.Now().UTC()).Exec(ctx); err != nil {
+				return err
+			}
 		}

 		// compare db-version with repo version
--- a/utils.go
+++ b/utils.go
@@ -84,7 +84,8 @@ type Conf struct {
 		LTO            []string `yaml:"lto"`
 	}
 	Housekeeping struct {
-		Interval string
+		Interval                 string
+		SignatureRecheckInterval string `yaml:"signature_recheck_interval"`
 	}
 	MaxCloneRetries uint64 `yaml:"max_clone_retries"`
 	Metrics         struct {