simp-rake-helpers 5.11.6 → 5.12.0

data/spec/acceptance/00_pkg_rpm_custom_scriptlets_spec.rb

@@ -37,28 +37,28 @@ shared_examples_for 'an RPM generator with customized scriptlets' do
     comment '...default preun postun scriptlets call simp_rpm_helper with correct arguments'
     expected_simp_rpm_helper_scriptlets = scriptlet_label_map.select{|k,v| %w(preun postun).include? v }
     expected_simp_rpm_helper_scriptlets.each do |rpm_label, simp_helper_label|
-      expected = <<EOM
-if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-  /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='#{simp_helper_label}' --rpm_status=$1
-fi
-EOM
+      expected = <<~EOM
+        if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+          /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='#{simp_helper_label}' --rpm_status=$1
+        fi
+      EOM
       expect(scriptlets[rpm_label][:bare_content]).to eq(expected.strip)
     end
 
     comment '...default posttrans scriptlet calls simp_rpm_helper with correct arguments'
-    expected = <<EOM
-if [ -e /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage ] ; then
-  rm /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage
-  if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-    /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=1
-  fi
-elif [ -e /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage ] ; then
-  rm /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage
-  if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-    /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=2
-  fi
-fi
-EOM
+    expected = <<~EOM
+      if [ -e /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage ] ; then
+        rm /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage
+        if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+          /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=1
+        fi
+      elif [ -e /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage ] ; then
+        rm /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage
+        if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+          /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=2
+        fi
+      fi
+    EOM
     expect(scriptlets['posttrans'][:bare_content]).to eq(expected.strip)
   end
 end
@@ -130,6 +130,5 @@ describe 'rake pkg:rpm with customized content' do
 
       end
     end
-
   end
 end

data/spec/acceptance/10_pkg_rpm_spec.rb

@@ -6,7 +6,7 @@ RSpec.configure do |c|
   c.extend  Simp::BeakerHelpers::SimpRakeHelpers::PkgRpmHelpers
 end
 
-shared_examples_for "an RPM generator with edge cases" do
+shared_examples_for 'an RPM generator with edge cases' do
   it 'should use specified release number for the RPM' do
     on host, %(#{run_cmd} "cd #{pkg_root_dir}/testpackage_with_release; #{rake_cmd} pkg:rpm")
     release_test_rpm = File.join(pkg_root_dir, 'testpackage_with_release',
@@ -21,14 +21,6 @@ shared_examples_for "an RPM generator with edge cases" do
     on host, %(rpm --changelog -qp #{changelog_test_rpm} | grep -q 'Auto Changelog')
   end
 
-  it 'should not require pupmod-simp-simplib for simp-simplib RPM' do
-    on host, %(#{run_cmd} "cd #{pkg_root_dir}/simplib; #{rake_cmd} pkg:rpm")
-    simplib_rpm = File.join(pkg_root_dir, 'simplib', 'dist',
-      File.basename(testpackage_rpm).gsub(/simp-testpackage-0.0.1/,'simp-simplib-1.2.3'))
-    on host, %(test -f #{simplib_rpm})
-    on host, %(rpm -qpR #{simplib_rpm} | grep -q pupmod-simp-simplib), {:acceptable_exit_codes => [1]}
-  end
-
   it 'should not fail to create an RPM when the CHANGELOG has a bad date' do
     on host,
       %(#{run_cmd} "cd #{pkg_root_dir}/testpackage_with_bad_changelog_date; #{rake_cmd} pkg:rpm")
@@ -147,59 +139,65 @@ describe 'rake pkg:rpm' do
             ].sort
 
             comment '...default preinstall scriptlet'
-            expected =<<-EOM
-# (default scriptlet for SIMP 6.x)
-# when $1 = 1, this is an install
-# when $1 = 2, this is an upgrade
-mkdir -p /var/lib/rpm-state/simp-adapter
-touch /var/lib/rpm-state/simp-adapter/rpm_status$1.testpackage
-if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-  /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='pre' --rpm_status=$1
-fi
+            expected =<<~EOM
+              # (default scriptlet for SIMP 6.x)
+              # when $1 = 1, this is an install
+              # when $1 = 2, this is an upgrade
+              mkdir -p /var/lib/rpm-state/simp-adapter
+              touch /var/lib/rpm-state/simp-adapter/rpm_status$1.testpackage
+              if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+                /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='pre' --rpm_status=$1
+              fi
             EOM
             expect(scriptlets['preinstall'][:content]).to eq( expected.strip )
 
             comment '...default preuninstall scriptlet'
-            expected =<<-EOM
-# (default scriptlet for SIMP 6.x)
-# when $1 = 1, this is the uninstall of the previous version during an upgrade
-# when $1 = 0, this is the uninstall of the only version during an erase
-if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-  /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='preun' --rpm_status=$1
-fi
+            expected =<<~EOM
+              # (default scriptlet for SIMP 6.x)
+              # when $1 = 1, this is the uninstall of the previous version during an upgrade
+              # when $1 = 0, this is the uninstall of the only version during an erase
+              if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+                /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='preun' --rpm_status=$1
+              fi
             EOM
             expect(scriptlets['preuninstall'][:content]).to eq( expected.strip )
 
             comment '...default postuninstall scriptlet'
-            expected =<<-EOM
-# (default scriptlet for SIMP 6.x)
-# when $1 = 1, this is the uninstall of the previous version during an upgrade
-# when $1 = 0, this is the uninstall of the only version during an erase
-if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-  /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='postun' --rpm_status=$1
-fi
+            expected =<<~EOM
+              # (default scriptlet for SIMP 6.x)
+              # when $1 = 1, this is the uninstall of the previous version during an upgrade
+              # when $1 = 0, this is the uninstall of the only version during an erase
+              if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+                /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='postun' --rpm_status=$1
+              fi
             EOM
             expect(scriptlets['postuninstall'][:content]).to eq( expected.strip )
 
             comment '...default posttrans scriptlet'
-            expected =<<-EOM
-# (default scriptlet for SIMP 6.x)
-# Marker file is created in %pre and only exists for installs or upgrades
-# when marker file is prepended with 'rpm_status1.', this is an install
-# when marker file is prepended with 'rpm_status2.', this is an upgrade
-if [ -e /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage ] ; then
-  rm /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage
-  if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-    /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=1
-  fi
-elif [ -e /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage ] ; then
-  rm /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage
-  if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
-    /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=2
-  fi
-fi
+            expected =<<~EOM
+              # (default scriptlet for SIMP 6.x)
+              # Marker file is created in %pre and only exists for installs or upgrades
+              # when marker file is prepended with 'rpm_status1.', this is an install
+              # when marker file is prepended with 'rpm_status2.', this is an upgrade
+              if [ -e /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage ] ; then
+                rm /var/lib/rpm-state/simp-adapter/rpm_status1.testpackage
+                if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+                  /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=1
+                fi
+              elif [ -e /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage ] ; then
+                rm /var/lib/rpm-state/simp-adapter/rpm_status2.testpackage
+                if [ -x /usr/local/sbin/simp_rpm_helper ] ; then
+                  /usr/local/sbin/simp_rpm_helper --rpm_dir=/usr/share/simp/modules/testpackage --rpm_section='posttrans' --rpm_status=2
+                fi
+              fi
             EOM
             expect(scriptlets['posttrans'][:content]).to eq( expected.strip )
+
+            comment 'does not modify the shebangs in executable scripts in the RPM'
+            # if the shebangs were modified, we should see /usr/bin/ruby and /usr/bin/rspec
+            # as requirements of the RPM
+            on host, %(rpm -qpR #{testpackage_rpm} | grep -q /usr/bin/ruby), :acceptable_exit_codes => [1]
+            on host, %(rpm -qpR #{testpackage_rpm} | grep -q /usr/bin/rspec), :acceptable_exit_codes => [1]
           end
 
           it_should_behave_like 'an RPM generator with edge cases'

data/spec/acceptance/50_local_gpg_signing_key_spec.rb

@@ -13,7 +13,7 @@ end
 #
 # It should be possible manage GPG keys using this logic from many OSes,
 # but it's silly to try to mock them all directly in RSpec.
-describe 'rake pkg:rpm with customized content' do
+describe 'local_gpg_signing_key unit test' do
 
   def hf_cmd( hosts, cmd, env_str=nil, opts={})
     if ENV['PUPPET_VERSION']
@@ -24,11 +24,15 @@ describe 'rake pkg:rpm with customized content' do
 
   before :all do
     copy_host_files_into_build_user_homedir(hosts)
-    hf_cmd(hosts, "bundle --local || bundle", nil, {run_in_parallel: true})
+
+    # If the build environment of user executing this test has a newer
+    # version of bundler than provided by the published docker container,
+    # the Gemfile.lock will cause problems. So, make sure to remove it!
+    hf_cmd(hosts, 'rm Gemfile.lock; bundle --local || bundle', nil, {run_in_parallel: true})
   end
 
   it 'can run the os-dependent Simp::LocalGpgSigningKey spec tests' do
-    hf_cmd( hosts, "bundle exec rspec spec/lib/simp/local_gpg_signing_key_spec.rb.beaker-only" );
+    hf_cmd( hosts, 'bundle exec rspec spec/lib/simp/local_gpg_signing_key_spec.rb.beaker-only' );
   end
 end
 

data/spec/acceptance/55_build_pkg_signing_spec.rb

@@ -9,10 +9,14 @@ RSpec.configure do |c|
   c.extend  Simp::BeakerHelpers::SimpRakeHelpers::BuildProjectHelpers
 end
 
-describe 'rake pkg:signrpms' do
-  def opts
-    { run_in_parallel: true, environment: { 'SIMP_PKG_verbose' => 'yes' } }
-  end
+# options to be applied to each on() operation
+def run_opts
+  # WARNING: If you set run_in_parallel to true, tests will fail
+  # when run in a GitHub action.
+  { run_in_parallel: false }
+end
+
+describe 'rake pkg:signrpms and pkg:checksig' do
 
   # Clean out RPMs dir and copy in a fresh dummy RPM
   def prep_rpms_dir(rpms_dir, src_rpms, opts = {})
@@ -21,33 +25,35 @@ describe 'rake pkg:signrpms' do
   end
 
   # Provides a scaffolded test project and `let` variables
-  shared_context 'a freshly-scaffolded test project' do |dir|
-    opts = {}
-    test__dir  = "#{build_user_homedir}/test--#{dir}"
-    rpms__dir  = "#{test__dir}/test.rpms"
-    src__rpm   =  "#{build_user_host_files}/spec/lib/simp/files/testpackage-1-0.noarch.rpm"
-    host__dirs = {}
+  shared_context 'a freshly-scaffolded test project' do |dir, opts = {}|
+    test__dir     = "#{build_user_homedir}/test-#{dir}"
+    rpms__dir     = "#{test__dir}/test.rpms"
+    src__rpm      =  "#{build_user_host_files}/spec/lib/simp/files/testpackage-1-0.noarch.rpm"
+    host__dirs    = {}
+    gpg__keysdir  = opts[:gpg_keysdir] ? opts[:gpg_keysdir] : "#{test__dir}/.dev_gpgkeys"
+    extra__env    = opts[:gpg_keysdir] ? "SIMP_PKG_build_keys_dir=#{gpg__keysdir}" : ''
+    digest__algo  = opts[:digest_algo] ? opts[:digest_algo] : nil
+
 
     hosts.each do |host|
-      dist_dir = distribution_dir(host, test__dir, opts)
+      dist_dir = distribution_dir(host, test__dir, run_opts)
       host__dirs[host] = {
         test_dir:  test__dir,
-        dev_keydir: "#{dist_dir}/build_keys/dev",
-        dvd_dir: "#{dist_dir}/DVD",
+        dvd_dir: "#{dist_dir}/DVD"
       }
       host__dirs[host.name] = host__dirs[host]
     end
 
     before(:all) do
       # Scaffold a project skeleton
-      scaffold_build_project(hosts, test__dir, opts)
+      scaffold_build_project(hosts, test__dir, run_opts)
 
-      # Provide an RPM directory to process and a dummy RPM to sign
-      on(hosts, %(#{run_cmd} "mkdir '#{rpms__dir}'"))
+      # Provide an RPM directory to process
+      on(hosts, %(#{run_cmd} "mkdir '#{rpms__dir}'"), run_opts)
 
       # Ensure a DVD directory exists that is appropriate to each SUT
       hosts.each do |host|
-        on(host, %(#{run_cmd} "mkdir -p '#{host__dirs[host][:dvd_dir]}'"), opts)
+        on(host, %(#{run_cmd} "mkdir -p '#{host__dirs[host][:dvd_dir]}'"), run_opts)
       end
     end
 
@@ -56,6 +62,15 @@ describe 'rake pkg:signrpms' do
     let(:src_rpm) { src__rpm }
     let(:test_rpm) { "#{rpms__dir}/#{File.basename(src__rpm)}" }
     let(:dirs) { host__dirs }
+    let(:dev_keydir) { "#{gpg__keysdir}/dev" }
+    let(:extra_env) { extra__env }
+    let(:digest_algo_param) { digest__algo }
+    let(:digest_algo_result) { digest__algo ? digest__algo.upcase : 'SHA256'  }
+    let(:signrpm_cmd) {
+      extra_args = digest_algo_param ? ",false,#{digest_algo_param}" : ''
+      "SIMP_PKG_verbose=yes #{extra_env} bundle exec rake pkg:signrpms[dev,'#{rpms_dir}'#{extra_args}]"
+    }
+    let(:checksig_cmd) { "#{extra_env} bundle exec rake pkg:checksig[#{rpms_dir}]" }
   end
 
   let(:rpm_unsigned_regex) do
@@ -63,78 +78,314 @@ describe 'rake pkg:signrpms' do
   end
 
   let(:rpm_signed_regex) do
-    %r{^Signature\s+:\s+.*,\s*Key ID (?<key_id>[0-9a-f]+)$}
+    %r{^Signature\s+:\s+\w+/(?<digest_algo>.*?),.*,\s*Key ID (?<key_id>[0-9a-f]+)$}
   end
 
   let(:expired_keydir) do
+    # NOTE: This expired keydir actually works on EL7 and EL8, even though
+    # the newer gpg version creates different files than those in this
+    # directory.
     "#{build_user_host_files}/spec/acceptance/files/build/pkg/gpg-keydir.expired.2018-04-06"
   end
 
+  shared_examples 'it does not leave the gpg-agent daemon running' do
+    it 'does not leave the gpg-agent daemon running' do
+      hosts.each do |host|
+        expect(gpg_agent_running?(host, dev_keydir)).to be false
+      end
+    end
+  end
+
+  shared_examples 'it verifies RPM signatures' do
+    let(:public_gpgkeys_dir) { 'src/assets/gpgkeys/GPGKEYS' }
+    it 'verifies RPM signatures' do
+      hosts.each do |host|
+        # mock out the simp-gpgkeys project checkout so that the pkg:checksig
+        # doesn't fail before reading in the generated 'dev' GPGKEY
+        on(host, %(#{run_cmd} "cd '#{test_dir}'; mkdir -p #{public_gpgkeys_dir}"), run_opts)
+        on(host, %(#{run_cmd} "cd '#{test_dir}'; touch #{public_gpgkeys_dir}/RPM-GPG-KEY-empty"), run_opts)
+        on(host, %(#{run_cmd} "cd '#{test_dir}'; #{checksig_cmd}"), run_opts)
+      end
+    end
+  end
+
   shared_examples 'it creates a new GPG dev signing key' do
     it 'creates a new GPG dev signing key' do
-      on(hosts, %(#{run_cmd} "cd '#{test_dir}'; bundle exec rake pkg:signrpms[dev,'#{rpms_dir}']"), opts)
+      on(hosts, %(#{run_cmd} "cd '#{test_dir}'; #{signrpm_cmd}"), run_opts)
       hosts.each do |host|
-        expect { dev_signing_key_id(host, test_dir, opts) }.not_to(raise_error)
+        expect(dev_signing_key_id(host, dev_keydir, run_opts)).to_not be_empty
+        expect(file_exists_on(host,"#{dirs[host][:dvd_dir]}/RPM-GPG-KEY-SIMP-Dev")).to be true
       end
     end
+
+    include_examples('it does not leave the gpg-agent daemon running')
   end
 
   shared_examples 'it begins with unsigned RPMs' do
     it 'begins with unsigned RPMs' do
-      prep_rpms_dir(rpms_dir, [src_rpm], opts)
-      rpms_before_signing = on(hosts, %(#{run_cmd} "rpm -qip '#{test_rpm}' | grep ^Signature"), opts)
+      prep_rpms_dir(rpms_dir, [src_rpm], run_opts)
+      rpms_before_signing = on(hosts, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
       rpms_before_signing.each do |result|
         expect(result.stdout).to match rpm_unsigned_regex
       end
     end
   end
 
-  shared_examples 'it signs RPM packages in the directory using the GPG dev signing key' do
-    it 'signs RPM packages in the directory using the GPG dev signing key' do
-      on(hosts, %(#{run_cmd} "cd '#{test_dir}'; bundle exec rake pkg:signrpms[dev,'#{rpms_dir}']"), opts)
-      rpms_after_signing = on(hosts, %(#{run_cmd} "rpm -qip '#{test_rpm}' | grep ^Signature"), opts)
-      rpms_after_signing.each do |result|
-        host = hosts_with_name(hosts, result.host).first
-        on(host, "gpg --list-keys --homedir='#{dirs[host][:dev_keydir]}'", opts)
+  shared_examples 'it creates GPG dev signing key and signs packages' do
+    it 'creates GPG dev signing key and signs packages' do
+      hosts.each do |host|
+        # NOTE: pkg:signrpms will not actually fail if it can't sign a RPM
+        on(hosts, %(#{run_cmd} "cd '#{test_dir}'; #{signrpm_cmd}"), run_opts)
+
+        expect(file_exists_on(host,"#{dirs[host][:dvd_dir]}/RPM-GPG-KEY-SIMP-Dev")).to be true
 
+        result = on(host, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
         expect(result.stdout).to match rpm_signed_regex
         signed_rpm_data = rpm_signed_regex.match(result.stdout)
-        expect(signed_rpm_data[:key_id]).to eql dev_signing_key_id(host, test_dir, opts)
+        expect(signed_rpm_data[:key_id]).to eql dev_signing_key_id(host, dev_keydir, run_opts)
+        expect(signed_rpm_data[:digest_algo]).to eql digest_algo_result
       end
     end
+
+    include_examples('it does not leave the gpg-agent daemon running')
   end
 
-  describe 'when starting without a dev key' do
-    include_context('a freshly-scaffolded test project', 'pkg-signrpms')
+  shared_examples 'it signs RPM packages using existing GPG dev signing key' do
+    it 'signs RPM packages using existing GPG dev signing key' do
+      hosts.each do |host|
+        existing_key_id = dev_signing_key_id(host, dev_keydir, run_opts)
+
+        on(hosts, %(#{run_cmd} "cd '#{test_dir}'; #{signrpm_cmd}"), run_opts)
+
+        result = on(host, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
+        expect(result.stdout).to match rpm_signed_regex
+        signed_rpm_data = rpm_signed_regex.match(result.stdout)
+        expect(signed_rpm_data[:key_id]).to eql existing_key_id
+        expect(signed_rpm_data[:digest_algo]).to eql digest_algo_result
+      end
+    end
+
+    include_examples('it does not leave the gpg-agent daemon running')
+  end
+
+
+  describe 'when starting without a dev key and no RPMs to sign' do
+    include_context('a freshly-scaffolded test project', 'create-key')
     include_examples('it creates a new GPG dev signing key')
+  end
+
+  describe 'when starting without a dev key and RPMs to sign' do
+    include_context('a freshly-scaffolded test project', 'signrpms')
     include_examples('it begins with unsigned RPMs')
-    include_examples('it signs RPM packages in the directory using the GPG dev signing key')
+    include_examples('it creates GPG dev signing key and signs packages')
+    include_examples('it verifies RPM signatures')
 
-    context 'when there is an unexpired GPG dev signing key' do
+    context 'when there is an unexpired GPG dev signing key and the packages are unsigned' do
       include_examples('it begins with unsigned RPMs')
-      include_examples('it signs RPM packages in the directory using the GPG dev signing key')
+      include_examples('it signs RPM packages using existing GPG dev signing key')
+      include_examples('it verifies RPM signatures')
     end
   end
 
   describe 'when starting with an expired dev key' do
-    include_context('a freshly-scaffolded test project', 'pkg-signrpms-expired_dev_key')
+    include_context('a freshly-scaffolded test project', 'signrpms-expired')
 
     it 'begins with an expired GPG signing key' do
-      prep_rpms_dir(rpms_dir, [src_rpm], opts)
+      prep_rpms_dir(rpms_dir, [src_rpm], run_opts)
       hosts.each do |host|
         copy_expired_keydir_to_dev_cmds = [
-          "mkdir -p '$(dirname '#{dirs[host][:dev_keydir]}')'",
-          "cp -aT '#{expired_keydir}' '#{dirs[host][:dev_keydir]}'",
+          "mkdir -p '$(dirname '#{dev_keydir}')'",
+          "cp -aT '#{expired_keydir}' '#{dev_keydir}'",
           "ls -lart '#{expired_keydir}'"
         ].join(' && ')
-        on(host, %(#{run_cmd} "#{copy_expired_keydir_to_dev_cmds}"), opts)
-        result = on(host, %(#{run_cmd} "gpg --list-keys --homedir='#{dirs[host][:dev_keydir]}'"), opts)
+        on(host, %(#{run_cmd} "#{copy_expired_keydir_to_dev_cmds}"), run_opts)
+        result = on(host, %(#{run_cmd} "gpg --list-keys --homedir='#{dev_keydir}'"), run_opts)
         expect(result.stdout).to match(/expired: 2018-04-06/)
       end
     end
 
+    include_examples('it begins with unsigned RPMs')
+    include_examples('it creates GPG dev signing key and signs packages')
+    include_examples('it verifies RPM signatures')
+  end
+
+  describe 'when packages are already signed' do
+    let(:keysdir)  { "#{test_dir}/.dev_gpgkeys" }
+
+    include_context('a freshly-scaffolded test project', 'force')
+
+    context 'initial package signing' do
+      include_examples('it begins with unsigned RPMs')
+      include_examples('it creates GPG dev signing key and signs packages')
+    end
+
+    context 'when force is disabled' do
+      before :each do
+        # remove the initial signing key
+        on(hosts, %(#{run_cmd} 'rm -rf #{keysdir}'))
+      end
+
+      it 'creates new GPG signing key but does not resign RPMs' do
+        hosts.each do |host|
+          # force defaults to false
+          on(host, %(#{run_cmd} "cd '#{test_dir}'; bundle exec rake pkg:signrpms[dev,'#{rpms_dir}']"), run_opts)
+
+          result = on(host, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
+          expect(result.stdout).to match rpm_signed_regex
+          signed_rpm_data = rpm_signed_regex.match(result.stdout)
+
+          # verify RPM is not signed with the new signing key
+          expect(signed_rpm_data[:key_id]).to_not eql dev_signing_key_id(host, dev_keydir, run_opts)
+        end
+      end
+
+      it 'does not verify RPM signatures with the new key' do
+        public_gpgkeys_dir = 'src/assets/gpgkeys/GPGKEYS'
+        hosts.each do |host|
+          # mock out the simp-gpgkeys project checkout so that the pkg:checksig
+          # doesn't fail before reading in the new generated 'dev' GPGKEY
+          on(host, %(#{run_cmd} "cd '#{test_dir}'; mkdir -p #{public_gpgkeys_dir}"), run_opts)
+          on(host, %(#{run_cmd} "cd '#{test_dir}'; touch #{public_gpgkeys_dir}/RPM-GPG-KEY-empty"), run_opts)
+          result = on(host, %(#{run_cmd} "cd '#{test_dir}'; #{checksig_cmd}"),
+            :acceptable_exit_codes => [1]
+          )
+
+          expect(result.stderr).to match('ERROR: Untrusted RPMs found in the repository')
+        end
+      end
+    end
+
+    context 'when force is enabled' do
+      before :each do
+        # remove the initial signing key
+        on(hosts, %(#{run_cmd} 'rm -rf #{keysdir}'))
+      end
+
+      it 'creates new GPG signing key and resigns RPMs' do
+        hosts.each do |host|
+          on(host, %(#{run_cmd} "cd '#{test_dir}'; bundle exec rake pkg:signrpms[dev,'#{rpms_dir}',true]"), run_opts)
+
+          result = on(host, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
+          expect(result.stdout).to match rpm_signed_regex
+          signed_rpm_data = rpm_signed_regex.match(result.stdout)
+
+          # verify RPM is signed with the new signing key
+          expect(signed_rpm_data[:key_id]).to eql dev_signing_key_id(host, dev_keydir, run_opts)
+        end
+      end
+    end
+  end
+
+  describe 'when SIMP_PKG_build_keys_dir is set' do
+    opts = { :gpg_keysdir => '/home/build_user/.dev_gpgpkeys' }
+    include_context('a freshly-scaffolded test project', 'custom-keys-dir', opts)
+    include_examples('it begins with unsigned RPMs')
+    include_examples('it creates GPG dev signing key and signs packages')
+  end
+
+  describe 'when digest algorithm is specified' do
+    opts = { :digest_algo => 'sha384' }
+    include_context('a freshly-scaffolded test project', 'custom-digest-algo', opts)
+    include_examples('it begins with unsigned RPMs')
+    include_examples('it creates GPG dev signing key and signs packages')
+    include_examples('it verifies RPM signatures')
+  end
+
+  describe 'when some rpm signing fails' do
+    include_context('a freshly-scaffolded test project', 'signing-failure')
+    include_examples('it begins with unsigned RPMs')
+
+    it 'should create a malformed RPM' do
+      on(hosts, %(#{run_cmd} "echo 'OOPS' > #{rpms_dir}/oops-test.rpm"))
+    end
+
+    it 'should sign all valid RPMs before failing' do
+      hosts.each do |host|
+        result = on(host,
+          %(#{run_cmd} "cd '#{test_dir}'; SIMP_PKG_verbose="yes" #{signrpm_cmd}"),
+         :acceptable_exit_codes => [1]
+        )
+
+        expect(result.stderr).to match('ERROR: Failed to sign some RPMs')
+
+        signature_check = on(host, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
+        expect(signature_check.stdout).to match rpm_signed_regex
+      end
+    end
+  end
+
+  describe 'when wrong keyword password is specified' do
+    include_context('a freshly-scaffolded test project', 'wrong-password')
     include_examples('it creates a new GPG dev signing key')
+
+    it 'should corrupt the password of new key' do
+      key_gen_file = File.join(dev_keydir, 'gengpgkey')
+      on(hosts, "sed -i -e \"s/^Passphrase: /Passphrase: OOPS/\" #{key_gen_file}")
+    end
+
     include_examples('it begins with unsigned RPMs')
-    include_examples('it signs RPM packages in the directory using the GPG dev signing key')
+
+    it 'should fail to sign any rpms and notify user of each failure' do
+      hosts.each do |host|
+        result = on(host,
+          %(#{run_cmd} "cd '#{test_dir}'; SIMP_PKG_verbose="yes" #{signrpm_cmd}"),
+         :acceptable_exit_codes => [1]
+        )
+
+        err_msg = %r(Error occurred while attempting to sign #{test_rpm})
+        expect(result.stderr).to match(err_msg)
+
+        signature_check = on(host, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
+        expect(signature_check.stdout).to match rpm_unsigned_regex
+      end
+    end
+  end
+
+  hosts.each do |host|
+    os_major =  fact_on(host,'operatingsystemmajrelease')
+    if os_major > '7'
+      # this problem only happens on EL > 7 in a docker container
+      describe "when gpg-agent's socket path is too long on #{host}" do
+        opts = { :gpg_keysdir => '/home/build_user/this/results/in/a/gpg_agent/socket/path/that/is/longer/than/one/hundred/eight/characters' }
+        include_context('a freshly-scaffolded test project', 'long-socket-path', opts)
+
+        context 'when the gpg key needs to be created ' do
+          it 'should fail to sign any rpms' do
+            on(host,
+               %(#{run_cmd} "cd '#{test_dir}'; SIMP_PKG_verbose="yes" #{signrpm_cmd}"),
+              :acceptable_exit_codes => [1]
+            )
+          end
+        end
+
+        context 'when the gpg key already exists' do
+          # This would be when a GPG key dir was populated with keys generated elsewhere.
+          # Reuse the keys from an earlier test.
+          it 'should copy existing key files into the gpg key dir' do
+            source_dir = '/home/build_user/test-create-key/.dev_gpgkeys/dev'
+            on(host, %(#{run_cmd} "cp -r #{source_dir}/* #{dev_keydir}"))
+          end
+
+          include_examples('it begins with unsigned RPMs')
+
+          it 'should fail to sign any rpms and notify user of each failure' do
+            # For rpm-sign-4.14.2-11.el8_0, 'rpm --resign' hangs instead of failing
+            # when gpg-agent fails to start.
+            # Set the default smaller than the 30 second default, so that we don't
+            # wait so long for the failure.
+            result = on(host,
+              %(#{run_cmd} "cd '#{test_dir}'; SIMP_PKG_rpmsign_timeout=5 SIMP_PKG_verbose="yes" #{signrpm_cmd}"),
+              :acceptable_exit_codes => [1]
+            )
+
+            err_msg = %r(Failed to sign #{test_rpm} in 5 seconds)
+            expect(result.stderr).to match(err_msg)
+
+            signature_check = on(host, "rpm -qip '#{test_rpm}' | grep ^Signature", run_opts)
+            expect(signature_check.stdout).to match rpm_unsigned_regex
+          end
+        end
+      end
+    end
   end
 end