#!/usr/bin/env python3
# vi: encoding=utf-8 ts=8 sts=4 sw=4 et

import os
import sys
import rpm
import pexpect
from config import sign_key

def getSigInfo(hdr):
    """checks signature from an hdr hand back signature information and/or
       an error code"""
    # yum-3.2.22/rpmUtils/miscutils.py

    string = '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|'
    siginfo = hdr.sprintf(string)
    if siginfo == '(none)':
        return None

    return siginfo.split(',')[2].lstrip()

def is_signed(rpm_file):
    """Returns rpm information is package signed by the same key"""
    # http://code.activestate.com/recipes/306705/

    if sign_key == None:
        return None

    ts = rpm.ts()
    ts.setVSFlags(rpm.RPMVSF_NODSAHEADER)
    fdno = os.open(rpm_file, os.O_RDONLY)
    hdr = ts.hdrFromFdno(fdno)
    os.close(fdno)

    sigid = getSigInfo(hdr)
    if sigid == None:
        return None

    return sign_key == sigid[-len(sign_key):]

def signpkgs(files, password):
    if not os.path.isfile('/usr/bin/gpg'):
        raise OSError('Missing gnupg binary')
    if not os.path.isfile('/bin/rpm'):
        raise OSError('Missing rpm binary')

    os.putenv('LC_ALL', 'C')
    args = ['--resign', '--define', '_signature gpg', '--define', '_gpg_name ' + sign_key] + files
    child = pexpect.spawn('/bin/rpm', args, encoding='utf-8')
    child.logfile_read = sys.stderr
    # TODO: we need a smarter way to figuring out if rpm already stored password in gpg-agent
    try:
        child.expect(u'Enter pass phrase:', timeout=30)
        child.sendline(password)
    except pexpect.exceptions.TIMEOUT:
        print('WARN: rpm did not ask for password', file=sys.stderr)
    child.expect(pexpect.EOF, timeout=None)
    child.close()
    rc = child.exitstatus
    if rc != 0:
        raise OSError('package signing failed')
    for rpm in files:
        os.chmod(rpm, 0o644)