pungi: verify downloaded (but not installed packages)

This way all the packages are verified, not only those installed in installer image (by lorax). This makes manual rpm --checksig redundant.
9 years ago · 10b346a1e1
parent 5796c78979
commit 10b346a1e1
2 changed files with 25 additions and 1 deletions
--- a/1
+++ b/1
@ -130,7 +130,6 @@ iso:
 	createrepo -q -g ../../conf/comps-qubes.xml --update yum/qubes-dom0
 	mkdir -p work
 	pushd work && pungi --name=Qubes  $(PUNGI_OPTS) -c $(PWD)/conf/qubes-kickstart.cfg && popd
-	./rpm_verify work/$(ISO_VERSION)/x86_64/os/Packages/*/*.rpm
 	# Move result files to known-named directories
 	mkdir -p build/ISO/qubes-x86_64/iso build/work
 	mv work/$(ISO_VERSION)/x86_64/iso/*-DVD.iso build/ISO/qubes-x86_64/iso/
--- a/pungi/support-verify-downloaded-packages.patch
+++ b/pungi/support-verify-downloaded-packages.patch
@ -56,3 +56,28 @@ Index: pungi-3.03/src/pypungi/__init__.py
 
         self.logger.info('Getting sacks for arches %s' % self.valid_arches)
         self.ayum._getSacks(archlist=self.valid_arches)
+diff --git a/src/pypungi/__init__.py b/src/pypungi/__init__.py
+index fc6a7c7..72cfddf 100644
+--- a/src/pypungi/__init__.py
+++ b/src/pypungi/__init__.py
+@@ -1096,6 +1096,20 @@ class Pungi(pypungi.PungiBase):
+             sys.exit(1)
+ 
+         for po in polist:
+            # before doing anything with the package, verify its signature
+            result, errmsg = self.ayum.sigCheckPkg(po)
+            if result == 0:
+                # Verified ok, or verify not req'd
+                pass
+            elif result == 1:
+                # keys are provided through kickstart, so treat this as consent
+                # for importing them
+                self.ayum.getKeyForPackage(po, lambda x, y, z: True)
+            else:
+                # Fatal error
+                self.logger.error(errmsg)
+                sys.exit(1)
+
+             basename = os.path.basename(po.relativepath)
+ 
+             local = po.localPkg()