go: fix RPM signature verification in signing-ticket script

go/release-checklist.md

@@ -62,7 +62,7 @@ GitHub release:
 {%- if sample_signing_key_update_tag %}
  - [ ] Wait until the Bodhi update shows "Signed :heavy_check_mark:" in the Metadata box.
  - [ ] Verify that the signing script can fetch the release binaries by running `./signing-ticket.sh test <x.y.z-r> <output-dir>`, where `r` is the Release of the Fedora package without the dist tag (probably `1`)
- - [ ] Run `./signing-ticket.sh ticket <x.y.z-r>` and paste the output into a [releng ticket](forge.fedoraproject.org/releng/tickets/issues/new).
+ - [ ] Run `./signing-ticket.sh ticket <x.y.z-r>` and paste the output into a [releng ticket](https://forge.fedoraproject.org/releng/tickets/issues/new).
  - [ ] Wait for the ticket to be closed
  - [ ] Download the artifacts and signatures
  - [ ] Verify the signatures

go/signing-ticket.sh

@@ -33,7 +33,7 @@ do_sign() {
 # Grab the binaries out of the redistributable rpm
 rpm="{{ signing_base }}-redistributable-${VR}.noarch.rpm"
 koji download-build --key $RPMKEY --rpm $rpm
-rpm -qip $rpm | grep -P "^Signature.*${RPMKEY}$" # Verify the output has the key in it
+rpm -Kv "$rpm" 2>&1 | grep -qi "${RPMKEY}" # Verify the output has the key in it
 rpm2cpio $rpm | cpio -idv './usr/share/{{ fedora_package }}/{{ signing_base }}-*'
 
 # Rename the binaries