From 56814824ee48f1a694c66d7f2b323ef01e366f9e Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Tue, 3 Dec 2024 13:58:09 +0100
Subject: [PATCH 1/2] new function get_src_tarball_name; deprecates getsrcname

Some places in the code that need this, like verify.py, do not have
app and build instances, but do have appid and versionCode.  And
fdroidserver/build.py is going away.
---
 fdroidserver/build.py  | 4 ++--
 fdroidserver/common.py | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/fdroidserver/build.py b/fdroidserver/build.py
index 4cae5d26..41df2c1c 100644
--- a/fdroidserver/build.py
+++ b/fdroidserver/build.py
@@ -306,7 +306,7 @@ def build_server(app, build, vcs, build_dir, output_dir, log_dir, force):
         else:
             ftp.chdir(posixpath.join(homedir, 'unsigned'))
         apkfile = common.get_release_filename(app, build)
-        tarball = common.getsrcname(app, build)
+        tarball = common.get_src_tarball_name(app.id, build.versionCode)
         try:
             ftp.get(apkfile, os.path.join(output_dir, apkfile))
             if not options.notarball:
@@ -619,7 +619,7 @@ def build_local(app, build, vcs, build_dir, output_dir, log_dir, srclib_dir, ext
     if not options.notarball:
         # Build the source tarball right before we build the release...
         logging.info("Creating source tarball...")
-        tarname = common.getsrcname(app, build)
+        tarname = common.get_src_tarball_name(app.id, build.versionCode)
         tarball = tarfile.open(os.path.join(tmp_dir, tarname), "w:gz")
 
         def tarexc(t):
diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index a6cf2009..0f692111 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -1130,8 +1130,8 @@ def get_toolsversion_logname(app, build):
     return "%s_%s_toolsversion.log" % (app.id, build.versionCode)
 
 
-def getsrcname(app, build):
-    return "%s_%s_src.tar.gz" % (app.id, build.versionCode)
+def get_src_tarball_name(appid, versionCode):
+    return f"{appid}_{versionCode}_src.tar.gz"
 
 
 def get_build_dir(app):

From 5deb936e86621789ab53eabedb51685fc84dae12 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Tue, 3 Dec 2024 14:16:06 +0100
Subject: [PATCH 2/2] verify: --clean-up-verified to rm all files except the
 JSON report

---
 fdroidserver/common.py |  9 ++++++++-
 fdroidserver/verify.py | 22 +++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 0f692111..f600d0d2 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -3649,7 +3649,9 @@ def sign_apk(unsigned_path, signed_path, keyalias):
     os.remove(unsigned_path)
 
 
-def verify_apks(signed_apk, unsigned_apk, tmp_dir, v1_only=None):
+def verify_apks(
+    signed_apk, unsigned_apk, tmp_dir, v1_only=None, clean_up_verified=False
+):
     """Verify that two apks are the same.
 
     One of the inputs is signed, the other is unsigned. The signature metadata
@@ -3669,6 +3671,8 @@ def verify_apks(signed_apk, unsigned_apk, tmp_dir, v1_only=None):
     v1_only
         True for v1-only signatures, False for v1 and v2 signatures,
         or None for autodetection
+    clean_up_verified
+        Remove any files created here if the verification succeeded.
 
     Returns
     -------
@@ -3705,6 +3709,9 @@ def verify_apks(signed_apk, unsigned_apk, tmp_dir, v1_only=None):
         if result is not None:
             error += '\nComparing reference APK to APK with copied signature...\n' + result
         return error
+    if clean_up_verified and os.path.exists(tmp_apk):
+        logging.info(f"...cleaned up {tmp_apk} after successful verification")
+        os.remove(tmp_apk)
 
     logging.info('...successfully verified')
     return None
diff --git a/fdroidserver/verify.py b/fdroidserver/verify.py
index 41b46ada..9ed46407 100644
--- a/fdroidserver/verify.py
+++ b/fdroidserver/verify.py
@@ -157,6 +157,12 @@ def main():
         nargs='*',
         help=_("application ID with optional versionCode in the form APPID[:VERCODE]"),
     )
+    parser.add_argument(
+        "--clean-up-verified",
+        action="store_true",
+        default=False,
+        help=_("Remove source tarball and any APKs if successfully verified."),
+    )
     parser.add_argument(
         "--reuse-remote-apk",
         action="store_true",
@@ -224,12 +230,26 @@ def main():
                         ) from e
 
             unsigned_apk = os.path.join(unsigned_dir, apkfilename)
-            compare_result = common.verify_apks(remote_apk, unsigned_apk, tmp_dir)
+            compare_result = common.verify_apks(
+                remote_apk,
+                unsigned_apk,
+                tmp_dir,
+                clean_up_verified=options.clean_up_verified,
+            )
             if options.output_json:
                 write_json_report(url, remote_apk, unsigned_apk, compare_result)
             if compare_result:
                 raise FDroidException(compare_result)
 
+            if options.clean_up_verified:
+                src_tarball = os.path.join(
+                    unsigned_dir, common.get_src_tarball_name(appid, vercode)
+                )
+                for f in (remote_apk, unsigned_apk, src_tarball):
+                    if os.path.exists(f):
+                        logging.info(f"...cleaned up {f} after successful verification")
+                        os.remove(f)
+
             logging.info("...successfully verified")
             verified += 1