From 2492505537bb7ee0decda80419859a4297c85d16 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 23 Jun 2011 12:20:14 +0200 Subject: [PATCH] Verify packages downloaded by yumdownloader (#229) --- Makefile | 1 + anaconda/scripts/buildinstall | 1 + anaconda/scripts/mk-images | 3 +++ anaconda/scripts/mk-images.efi | 2 ++ revisor/F13-buildinstall | 1 + 5 files changed, 8 insertions(+) diff --git a/Makefile b/Makefile index 6a50392..6ad23bb 100644 --- a/Makefile +++ b/Makefile @@ -97,6 +97,7 @@ update-repo: iso: ln -sf `pwd` /tmp/qubes-installer revisor --cli --config=conf/qubes-install.conf --model=qubes-x86_64 --install-dvd + rpm --checksig build/work/revisor-install/R1-Beta1/qubes-x86_64/x86_64/os/Packages/*.rpm | grep -v pgp && exit 1 clean: rm -fr rpm/SOURCES/*.bz2 diff --git a/anaconda/scripts/buildinstall b/anaconda/scripts/buildinstall index 3a75d9e..38cf7ba 100755 --- a/anaconda/scripts/buildinstall +++ b/anaconda/scripts/buildinstall @@ -202,6 +202,7 @@ else BASEARCH=`python -c "import rpmUtils.arch; \ print rpmUtils.arch.getBaseArch(myarch=rpmUtils.arch.getCanonArch(skipRpmPlatform = True));"` yumdownloader -c $yumconf anaconda || exit 1 + rpm --checksig anaconda*rpm | grep -v pgp && exit 1 rpm2cpio anaconda*rpm | cpio --quiet -iumd './usr*' rm -f anaconda*rpm popd diff --git a/anaconda/scripts/mk-images b/anaconda/scripts/mk-images index 5979ece..04e42c3 100755 --- a/anaconda/scripts/mk-images +++ b/anaconda/scripts/mk-images @@ -1077,6 +1077,7 @@ for KERNELARCH in $arches; do yumdownloader -c $yumconf --archlist=$KERNELARCH $kpackage kpackage="$kpackage.rpm" + rpm --checksig $kpackage.rpm | grep -v pgp && exit 1 if [ ! -f "$kpackage" ]; then echo "kernel ($kernelvers) doesn't exist for $KERNELARCH. skipping" continue @@ -1101,12 +1102,14 @@ for KERNELARCH in $arches; do # expand out any available firmware too for p in $(repoquery -c $yumconf '*firmware*') ; do yumdownloader -c $yumconf $p + rpm --checksig *firmware*.rpm | grep -v pgp && exit 1 rpm2cpio *firmware*.rpm | (cd $KERNELROOT; cpio --quiet -iumd) rm -f *firmware*.rpm done # and get XEN Hypervisor for p in $(repoquery -c $yumconf 'xen-hypervisor') ; do yumdownloader -c $yumconf $p + rpm --checksig xen-hypervisor*.rpm | grep -v pgp && exit 1 rpm2cpio xen-hypervisor*.rpm | (cd $KERNELROOT; cpio --quiet -iumd) rm -f xen-hypervisor*.rpm done diff --git a/anaconda/scripts/mk-images.efi b/anaconda/scripts/mk-images.efi index 2c9ce0f..d672f49 100644 --- a/anaconda/scripts/mk-images.efi +++ b/anaconda/scripts/mk-images.efi @@ -169,6 +169,7 @@ prepareEfiTree() { ydcmd="yumdownloader -c $yumconf $grubpkg" echo "(grubpkg) $ydcmd" $ydcmd + rpm --checksig $grubpkg.rpm | grep -v pgp && exit 1 rpm2cpio $grubpkg.rpm | (cd $KERNELROOT; cpio --quiet -iumd) cp -av $KERNELROOT/boot/efi/EFI/redhat/grub.efi $MBD_BOOTTREE_TMP/EFI/BOOT/grub.efi @@ -195,6 +196,7 @@ prepareEfiTree() { ydcmd="yumdownloader -c ${yumconf} ${artpkg}" echo "(artpkg) $ydcmd" $ydcmd + rpm --checksig ${artpkg}.rpm | grep -v pgp && exit 1 rpm2cpio ${artpkg}.rpm | (cd $KERNELROOT; cpio --quiet -iumd) cp -av $KERNELROOT/boot/grub/splash.xpm.gz $MBD_BOOTTREE_TMP/$SPLASHPATH diff --git a/revisor/F13-buildinstall b/revisor/F13-buildinstall index 8bb3bef..b7602e4 100755 --- a/revisor/F13-buildinstall +++ b/revisor/F13-buildinstall @@ -213,6 +213,7 @@ else BASEARCH=`python -c "import rpmUtils.arch; \ print rpmUtils.arch.getBaseArch(myarch=rpmUtils.arch.getCanonArch(skipRpmPlatform = True));"` yumdownloader -c $yumconf anaconda || exit 1 + rpm --checksig anaconda*rpm | grep -v pgp && exit 1 rpm2cpio anaconda*rpm | cpio --quiet -iumd './usr*' rm -f anaconda*rpm popd