From edf7dcb73c18525a8e7385646b62fdc377d5d7a5 Mon Sep 17 00:00:00 2001
From: Zelin Hao <zelinhao@amazon.com>
Date: Thu, 16 Jun 2022 18:39:33 -0500
Subject: [PATCH 1/3] Add rpm signature validation

Signed-off-by: Zelin Hao <zelinhao@amazon.com>
---
 vars/rpmMetaValidation.groovy | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/vars/rpmMetaValidation.groovy b/vars/rpmMetaValidation.groovy
index 0844601e45..09998f25d1 100644
--- a/vars/rpmMetaValidation.groovy
+++ b/vars/rpmMetaValidation.groovy
@@ -41,4 +41,34 @@ def call(Map args = [:]) {
         println("Meta data for $key is validated")
     }
     println("Validation for meta data of RPM distribution completed.")
+
+    // Validate the distribution signature
+    def checksig = sh (
+            script: "rpm -K -v $distFile",
+            returnStdout: true
+    ).trim()
+    println("Signature check of the rpm distribution file is: \n" + checksig)
+    def keyList = ["Header V4 RSA/SHA512 Signature, key ID 9310d3fc", "Header SHA256 digest",
+                   "Header SHA1 digest", "Payload SHA256 digest",
+                   "V4 RSA/SHA512 Signature, key ID 9310d3fc", "MD5 digest"]
+    def presentKey = []
+    for (line in checksig.split('\n')) {
+        def key = line.split(':')[0].trim()
+        if (key == distFile) {
+            continue
+        } else {
+            assert line.split(':', 2)[1].trim().contains("OK")
+            println(key + " is validated as: " + line)
+            presentKey.add(key)
+        }
+    }
+    println("Validation all key digests starts: ")
+    for (digest in keyList) {
+        if (presentKey.contains(digest)) {
+            println("Key digest \"$digest\" is validated to be present.")
+        } else {
+            error("Key digest \"$digest\" is not present.")
+        }
+    }
+    println("Validation for signature of RPM distribution completed.")
 }

From 3928ed7c4b8c02fc659fcca3cb5209e1d59fd471 Mon Sep 17 00:00:00 2001
From: Zelin Hao <zelinhao@amazon.com>
Date: Tue, 21 Jun 2022 14:41:59 -0700
Subject: [PATCH 2/3] Update jenkins tests

Signed-off-by: Zelin Hao <zelinhao@amazon.com>
---
 tests/jenkins/TestRpmDashboardsDistValidation.groovy        | 6 ++++++
 tests/jenkins/TestRpmMetaValidation.groovy                  | 6 ++++++
 tests/jenkins/TestRpmOpenSearchDistValidation.groovy        | 6 ++++++
 .../jobs/RpmDashboardsDistValidation_Jenkinsfile.txt        | 1 +
 tests/jenkins/jobs/RpmMetaValidation_Jenkinsfile.txt        | 1 +
 .../jobs/RpmOpenSearchDistValidation_Jenkinsfile.txt        | 1 +
 6 files changed, 21 insertions(+)

diff --git a/tests/jenkins/TestRpmDashboardsDistValidation.groovy b/tests/jenkins/TestRpmDashboardsDistValidation.groovy
index 379a415e77..df3c15780e 100644
--- a/tests/jenkins/TestRpmDashboardsDistValidation.groovy
+++ b/tests/jenkins/TestRpmDashboardsDistValidation.groovy
@@ -41,6 +41,12 @@ class TestRpmDashboardsDistValidation extends BuildPipelineTest {
         helper.addShMock("rpm -qip $workspace/opensearch-dashboards-1.3.0-linux-x64.rpm") { script ->
             return [stdout: out, exitValue: 0]
         }
+        def sigOut = "/tmp/workspace/opensearch-dashboards-1.3.0-linux-x64.rpm:\n" + "Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" +
+                "Header SHA256 digest: OK\n" + "Header SHA1 digest: OK\n" + "Payload SHA256 digest: OK\n" +
+                "V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" + "MD5 digest: OK"
+        helper.addShMock("rpm -K -v $rpmDistribution") { script ->
+            return [stdout: sigOut, exitValue: 0]
+        }
         def status_message = "opensearch-dashboards.service - \"OpenSearch Dashboards\"\n" +
                 "   Loaded: loaded (/usr/lib/systemd/system/opensearch-dashboards.service; disabled; vendor preset: disabled)\n" +
                 "   Active: active (running) since Mon 2022-04-04 21:38:58 UTC; 3 days ago\n" +
diff --git a/tests/jenkins/TestRpmMetaValidation.groovy b/tests/jenkins/TestRpmMetaValidation.groovy
index 8c53651c7f..55ab358635 100644
--- a/tests/jenkins/TestRpmMetaValidation.groovy
+++ b/tests/jenkins/TestRpmMetaValidation.groovy
@@ -46,6 +46,12 @@ class TestRpmMetaValidation extends BuildPipelineTest {
         helper.addShMock("rpm -qip $workspace/opensearch-1.3.1-linux-x64.rpm") { script ->
             return [stdout: out, exitValue: 0]
         }
+        def sigOut = "/tmp/workspace/opensearch-1.3.1-linux-x64.rpm:\n" + "Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" +
+                "Header SHA256 digest: OK\n" + "Header SHA1 digest: OK\n" + "Payload SHA256 digest: OK\n" +
+                "V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" + "MD5 digest: OK"
+        helper.addShMock("rpm -K -v $rpmDistribution") { script ->
+            return [stdout: sigOut, exitValue: 0]
+        }
     }
 
     @Test
diff --git a/tests/jenkins/TestRpmOpenSearchDistValidation.groovy b/tests/jenkins/TestRpmOpenSearchDistValidation.groovy
index 79a3896613..4c7d0708e9 100644
--- a/tests/jenkins/TestRpmOpenSearchDistValidation.groovy
+++ b/tests/jenkins/TestRpmOpenSearchDistValidation.groovy
@@ -41,6 +41,12 @@ class TestRpmOpenSearchDistValidation extends BuildPipelineTest {
         helper.addShMock("rpm -qip $workspace/opensearch-1.3.1-linux-x64.rpm") { script ->
             return [stdout: out, exitValue: 0]
         }
+        def sigOut = "/tmp/workspace/opensearch-1.3.1-linux-x64.rpm:\n" + "Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" +
+                "Header SHA256 digest: OK\n" + "Header SHA1 digest: OK\n" + "Payload SHA256 digest: OK\n" +
+                "V4 RSA/SHA512 Signature, key ID 9310d3fc: OK\n" + "MD5 digest: OK"
+        helper.addShMock("rpm -K -v $rpmDistribution") { script ->
+            return [stdout: sigOut, exitValue: 0]
+        }
         helper.addShMock("ls /etc/opensearch") { script ->
             return [stdout: "esnode-key.pem  jvm.options.d        kirk.pem                  opensearch-reports-scheduler" +
                     "  performance_analyzer_enabled.conf    esnode.pem      jvm.options.rpmsave  log4j2.properties" +
diff --git a/tests/jenkins/jobs/RpmDashboardsDistValidation_Jenkinsfile.txt b/tests/jenkins/jobs/RpmDashboardsDistValidation_Jenkinsfile.txt
index dafff37124..3301b8cfdf 100644
--- a/tests/jenkins/jobs/RpmDashboardsDistValidation_Jenkinsfile.txt
+++ b/tests/jenkins/jobs/RpmDashboardsDistValidation_Jenkinsfile.txt
@@ -21,6 +21,7 @@ For more information, see: https://opensearch.org/}})
                      rpmMetaValidation.println(Meta data for URL is validated)
                      rpmMetaValidation.println(Meta data for Summary is validated)
                      rpmMetaValidation.println(Meta data for Description is validated)
+                     rpmMetaValidation.sh({script=rpm -K -v /tmp/workspace/opensearch-dashboards-1.3.0-linux-x64.rpm, returnStdout=true})
                   rpmDashboardsDistValidation.rpmCommands({command=install, product=opensearch-1.3.0})
                      rpmCommands.sh(yum install -y opensearch-1.3.0)
                   rpmDashboardsDistValidation.rpmCommands({command=install, product=opensearch-dashboards-1.3.0})
diff --git a/tests/jenkins/jobs/RpmMetaValidation_Jenkinsfile.txt b/tests/jenkins/jobs/RpmMetaValidation_Jenkinsfile.txt
index 5f3808b7be..2d42abe5cb 100644
--- a/tests/jenkins/jobs/RpmMetaValidation_Jenkinsfile.txt
+++ b/tests/jenkins/jobs/RpmMetaValidation_Jenkinsfile.txt
@@ -15,3 +15,4 @@ For more information, see: https://opensearch.org/}, rpmDistribution=/tmp/worksp
                   rpmMetaValidation.println(Meta data for URL is validated)
                   rpmMetaValidation.println(Meta data for Summary is validated)
                   rpmMetaValidation.println(Meta data for Description is validated)
+                  rpmMetaValidation.sh({script=rpm -K -v /tmp/workspace/opensearch-1.3.1-linux-x64.rpm, returnStdout=true})
diff --git a/tests/jenkins/jobs/RpmOpenSearchDistValidation_Jenkinsfile.txt b/tests/jenkins/jobs/RpmOpenSearchDistValidation_Jenkinsfile.txt
index 8b8128de5b..0a9bdb59f6 100644
--- a/tests/jenkins/jobs/RpmOpenSearchDistValidation_Jenkinsfile.txt
+++ b/tests/jenkins/jobs/RpmOpenSearchDistValidation_Jenkinsfile.txt
@@ -21,6 +21,7 @@ For more information, see: https://opensearch.org/}})
                      rpmMetaValidation.println(Meta data for URL is validated)
                      rpmMetaValidation.println(Meta data for Summary is validated)
                      rpmMetaValidation.println(Meta data for Description is validated)
+                     rpmMetaValidation.sh({script=rpm -K -v /tmp/workspace/opensearch-1.3.1-linux-x64.rpm, returnStdout=true})
                   rpmOpenSearchDistValidation.rpmCommands({command=install, product=opensearch-1.3.1})
                      rpmCommands.sh(yum install -y opensearch-1.3.1)
                   rpmOpenSearchDistValidation.sh([[ -d /etc/opensearch ]] && echo "/etc/opensearch directory exists"|| (echo "/etc/opensearch does not exist" && exit 1))

From 1ae17cf873992db1c68e11b14db67b2f21573cb5 Mon Sep 17 00:00:00 2001
From: Zelin Hao <zelinhao@amazon.com>
Date: Wed, 22 Jun 2022 10:38:25 -0700
Subject: [PATCH 3/3] Change to use assert

Signed-off-by: Zelin Hao <zelinhao@amazon.com>
---
 vars/rpmMetaValidation.groovy | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/vars/rpmMetaValidation.groovy b/vars/rpmMetaValidation.groovy
index 09998f25d1..7447c7972c 100644
--- a/vars/rpmMetaValidation.groovy
+++ b/vars/rpmMetaValidation.groovy
@@ -64,11 +64,8 @@ def call(Map args = [:]) {
     }
     println("Validation all key digests starts: ")
     for (digest in keyList) {
-        if (presentKey.contains(digest)) {
-            println("Key digest \"$digest\" is validated to be present.")
-        } else {
-            error("Key digest \"$digest\" is not present.")
-        }
+        assert presentKey.contains(digest)
+        println("Key digest \"$digest\" is validated to be present.")
     }
     println("Validation for signature of RPM distribution completed.")
 }