From 79bd4fbdc56d75d979d9c0c4acf9cf0352bd9f23 Mon Sep 17 00:00:00 2001
From: Giovanni Harting <539@idlegandalf.com>
Date: Sat, 25 Apr 2026 08:57:11 +0200
Subject: [PATCH] recheck signatures on already-built packages

---
 config_dist.yaml |  5 +++++
 housekeeping.go  | 36 +++++++++++++++++++++++++++++-------
 utils.go         |  3 ++-
 3 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/config_dist.yaml b/config_dist.yaml
index 5fd7519..9a6ecaf 100644
--- a/config_dist.yaml
+++ b/config_dist.yaml
@@ -46,5 +46,10 @@ build:
 logging:
   level: INFO
 
+housekeeping:
+  # how long to wait between re-verifying package signatures of already-built packages
+  # accepts any time.ParseDuration string (e.g. "24h", "12h", "30m"), default: 24h
+  signature_recheck_interval: "24h"
+
 metrics:
   port: 9568
diff --git a/housekeeping.go b/housekeeping.go
index 02c7c05..b627482 100644
--- a/housekeeping.go
+++ b/housekeeping.go
@@ -13,6 +13,19 @@ import (
 	"time"
 )
 
+const defaultSigRecheckInterval = 24 * time.Hour
+
+func sigRecheckInterval() time.Duration {
+	if conf.Housekeeping.SignatureRecheckInterval == "" {
+		return defaultSigRecheckInterval
+	}
+	d, err := time.ParseDuration(conf.Housekeeping.SignatureRecheckInterval)
+	if err != nil {
+		return defaultSigRecheckInterval
+	}
+	return d
+}
+
 func housekeeping(ctx context.Context, repo, march string, wg *sync.WaitGroup) error {
 	defer wg.Done()
 	fullRepo := repo + "-" + march
@@ -98,21 +111,30 @@ func housekeeping(ctx context.Context, repo, march string, wg *sync.WaitGroup) e
 			continue
 		}
 
-		if pkg.DBPackage.LastVerified.Before(pkg.DBPackage.BuildTimeStart) {
-			err := pkg.DBPackage.Update().SetLastVerified(time.Now().UTC()).Exec(ctx)
-			if err != nil {
-				return err
-			}
-			// check if pkg signature is valid
+		needsSigRecheck := pkg.DBPackage.LastVerified.Before(pkg.DBPackage.BuildTimeStart) ||
+			time.Since(pkg.DBPackage.LastVerified) > sigRecheckInterval()
+
+		if needsSigRecheck {
 			valid, err := mPackage.HasValidSignature()
 			if err != nil {
 				return err
 			}
 			if !valid {
-				log.Infof("[HK] %s->%s invalid package signature", pkg.FullRepo, pkg.Pkgbase)
+				log.Infof("[HK] %s->%s invalid package signature, purging+requeue", pkg.FullRepo, pkg.Pkgbase)
+				pkg.DBPackage, err = pkg.DBPackage.Update().
+					SetStatus(dbpackage.StatusQueued).
+					ClearTagRev().
+					SetLastVerified(time.Now().UTC()).
+					Save(ctx)
+				if err != nil {
+					return err
+				}
 				buildManager.repoPurge[pkg.FullRepo] <- []*ProtoPackage{pkg}
 				continue
 			}
+			if err := pkg.DBPackage.Update().SetLastVerified(time.Now().UTC()).Exec(ctx); err != nil {
+				return err
+			}
 		}
 
 		// compare db-version with repo version
diff --git a/utils.go b/utils.go
index 47c6b0b..ea1d485 100644
--- a/utils.go
+++ b/utils.go
@@ -84,7 +84,8 @@ type Conf struct {
 		LTO            []string `yaml:"lto"`
 	}
 	Housekeeping struct {
-		Interval string
+		Interval                 string
+		SignatureRecheckInterval string `yaml:"signature_recheck_interval"`
 	}
 	MaxCloneRetries uint64 `yaml:"max_clone_retries"`
 	Metrics         struct {