Add filesystem locks for interacting with YubiKeys

anfimovdm · anfimovdm · commit fa78cec4209d · 2025-06-05T20:10:02.000+03:00
diff --git a/sign_node/config.py b/sign_node/config.py
@@ -75,6 +75,7 @@ def __init__(self, config_file=None, **cmd_args):
             'immudb_address': None,
             'immudb_public_key_file': None,
             'files_sign_cert_path': '/etc/pki/ima/ima-sign.key',
+            'locks_dir_path': '/tmp/gpg_locks',
         }
         schema = {
             "development_mode": {"type": "boolean", "default": False},
@@ -104,6 +105,7 @@ def __init__(self, config_file=None, **cmd_args):
                 'type': 'string', 'required': False,
                 'coerce': normalize_path,
             },
+            'locks_dir_path': {'type': 'string', 'required': True},
         }
         super(SignNodeConfig, self).__init__(
             default_config, config_file, schema, **cmd_args
diff --git a/sign_node/package_sign.py b/sign_node/package_sign.py
@@ -7,6 +7,9 @@
 
 import pexpect
 
+from sign_node.utils.locking import exclusive_lock
+from sign_node.utils.pgp_utils import restart_gpg_agent
+
 __all__ = [
     "sign_rpm_package",
     "PackageSignError",
@@ -19,8 +22,14 @@ class PackageSignError(Exception):
     pass
 
 
-def sign_rpm_package(path, keyid, password, sign_files=False,
-                     sign_files_cert_path='/etc/pki/ima/ima-sign.key'):
+def sign_rpm_package(
+    path,
+    keyid,
+    password,
+    sign_files=False,
+    sign_files_cert_path='/etc/pki/ima/ima-sign.key',
+    locks_dir_path: str = '/tmp/gpg_locks',
+):
     """
     Signs an RPM package.
 
@@ -55,19 +64,23 @@ def sign_rpm_package(path, keyid, password, sign_files=False,
         logging.debug('Deleting signature from %s', pkg_path)
         code, out, err = plumbum.local['rpmsign'].run(
             args=('--delsign', pkg_path),
-            retcode=None
+            retcode=None,
         )
         logging.debug('Command result: %d, %s\n%s', code, out, err)
         if code != 0:
             full_out = '\n'.join((out, err))
-            raise PackageSignError(f'Cannot delete package signature: {full_out}')
-    out, status = pexpect.run(
-        command=final_cmd,
-        events={"Enter passphrase:.*": f"{password}\r"},
-        env={"LC_ALL": "en_US.UTF-8"},
-        timeout=100000,
-        withexitstatus=True,
-    )
+            raise PackageSignError(
+                f'Cannot delete package signature: {full_out}'
+            )
+    with exclusive_lock(locks_dir_path, keyid):
+        out, status = pexpect.run(
+            command=final_cmd,
+            events={"Enter passphrase:.*": f"{password}\r"},
+            env={"LC_ALL": "en_US.UTF-8"},
+            timeout=100000,
+            withexitstatus=True,
+        )
+        restart_gpg_agent()
     if status is None:
         message = (
             f"The RPM signing command is failed with timeout."
@@ -79,7 +92,10 @@ def sign_rpm_package(path, keyid, password, sign_files=False,
         logging.error(
             "The RPM signing command is failed with %s exit code."
             "\nCommand: %s\nOutput:\n%s.\nTraceback: %s",
-            status, final_cmd, out, traceback.format_exc()
+            status,
+            final_cmd,
+            out,
+            traceback.format_exc(),
         )
         raise PackageSignError(
             f"RPM sign failed with {status} exit code.\n"
diff --git a/sign_node/signer.py b/sign_node/signer.py
@@ -444,6 +444,7 @@ def download_package(pkg: dict):
                             pgp_key_password,
                             sign_files=sign_files,
                             sign_files_cert_path=self.__config.files_sign_cert_path,
+                            locks_dir_path=self.__config.locks_dir_path,
                         )
                         packages_to_sign = []
                 if packages_to_sign:
@@ -453,6 +454,7 @@ def download_package(pkg: dict):
                         pgp_key_password,
                         sign_files=sign_files,
                         sign_files_cert_path=self.__config.files_sign_cert_path,
+                        locks_dir_path=self.__config.locks_dir_path,
                     )
             finish_time = datetime.utcnow()
             stats['sign_packages_time'] = self.timedelta_seconds(
diff --git a/sign_node/utils/locking.py b/sign_node/utils/locking.py
@@ -0,0 +1,15 @@
+import contextlib
+import fcntl
+from pathlib import Path
+
+
+@contextlib.contextmanager
+def exclusive_lock(path: str, filename: str):
+    locks_dir = Path(path)
+    locks_dir.mkdir(exist_ok=True, parents=True)
+    with Path(locks_dir, filename).open('w+') as file:
+        fcntl.flock(file, fcntl.LOCK_EX)
+        try:
+            yield
+        finally:
+            fcntl.flock(file, fcntl.LOCK_UN)
