QubesOS
/
qubes-installer-qubes-os
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

livecd-tools: apply patches for verifying downloaded packages

Browse Source 
Livecd-creator is one more example of program which happily installs
whatever downloads from the network, without any verification
(repository metadata consistency doesn't count)...

Patches sent upstream here:
https://github.com/rhinstaller/livecd-tools/pull/14
release3.1
Marek Marczykowski-Górecki 9 years ago
parent ea9d843368
commit 8ec82b09f7
3 changed files with 142 additions and 0 deletions
Show Stats Download Patch File Download Diff File

57
livecd-tools/0001-Set-repo.gpgkey-when-provided-in-kickstart.patch
Unescape View File

@ -0,0 +1,57 @@
From 2055ba32ac4751a52da1ad600cb820eea76cd8b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Fri, 7 Aug 2015 03:26:30 +0200
Subject: [PATCH 1/2] Set repo.gpgkey when provided in kickstart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
imgcreate/creator.py | 6 +++++-
imgcreate/kickstart.py | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/imgcreate/creator.py b/imgcreate/creator.py
index 42faf6f..c3ed346 100644
--- a/imgcreate/creator.py
+++ b/imgcreate/creator.py
@@ -627,7 +627,7 @@ class ImageCreator(object):
ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly)
for repo in kickstart.get_repos(self.ks, repo_urls):
- (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo
+ (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify, gpgkey) = repo
yr = ayum.addRepository(name, baseurl, mirrorlist)
if inc:
@@ -639,6 +639,10 @@ class ImageCreator(object):
if cost is not None:
yr.cost = cost
yr.sslverify = sslverify
+ if gpgkey:
+ yr.gpgcheck = True
+ yr.gpgkey = yum.parser.varReplace(gpgkey, ayum.conf.yumvar)
+
ayum.setup(yum_conf, self._instroot)
if kickstart.exclude_docs(self.ks):
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 1059801..b8b3c82 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -551,7 +551,7 @@ def get_repos(ks, repo_urls = {}):
if repos.has_key(repo.name):
logging.warn("Overriding already specified repo %s" %(repo.name,))
- repos[repo.name] = (repo.name, baseurl, mirrorlist, proxy, inc, exc, repo.cost, sslverify)
+ repos[repo.name] = (repo.name, baseurl, mirrorlist, proxy, inc, exc, repo.cost, sslverify, repo.gpgkey)
return repos.values()
--
2.1.0

80
livecd-tools/0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch
Unescape View File

@ -0,0 +1,80 @@
From ad81fa7d70111c2d29cb44a17c3511c49538d66d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Sat, 26 Sep 2015 06:14:05 +0200
Subject: [PATCH 2/2] Actually use repo.gpgkey - verify signatures before
installing the packages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
imgcreate/yuminst.py | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/imgcreate/yuminst.py b/imgcreate/yuminst.py
index 22e840c..17f4774 100644
--- a/imgcreate/yuminst.py
+++ b/imgcreate/yuminst.py
@@ -178,7 +178,7 @@ class LiveCDYum(yum.YumBase):
repo.metadata_expire = 0
repo.mirrorlist_expire = 0
repo.timestamp_check = 0
- # disable gpg check???
+ # disable gpg by default, enable it later when gpgkey specified
repo.gpgcheck = 0
repo.enable()
repo.setup(self.conf.cache)
@@ -195,6 +195,33 @@ class LiveCDYum(yum.YumBase):
return True
return False
+ def gpgsigcheck(self, pkgs):
+ """Perform GPG signature verification on the given packages,
+ installing keys if possible.
+
+ :param pkgs: a list of package objects to verify the GPG
+ signatures of
+ :return: non-zero if execution should stop due to an error
+ :raises: Will raise :class:`CreatorError` if there's a problem
+ """
+ for po in pkgs:
+ result, errmsg = self.sigCheckPkg(po)
+
+ if result == 0:
+ # Verified ok, or verify not req'd
+ continue
+
+ elif result == 1:
+ # keys are provided through kickstart, so treat this as consent
+ # for importing them
+ self.getKeyForPackage(po, lambda x, y, z: True)
+
+ else:
+ # Fatal error
+ raise CreatorError(errmsg)
+
+ return 0
+
def runInstall(self):
os.environ["HOME"] = "/"
@@ -211,7 +238,11 @@ class LiveCDYum(yum.YumBase):
dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers()))
self.downloadPkgs(dlpkgs)
- # FIXME: sigcheck?
+
+ # Check GPG signatures
+ if self.gpgsigcheck(dlpkgs) != 0:
+ raise CreatorError("GPG signature verification failed")
+
self.initActionTs()
self.populateTs(keepold=0)
--
2.1.0

5
livecd-tools/livecd-tools.spec
Unescape View File

@ -23,6 +23,8 @@ URL: http://git.fedorahosted.org/git/livecd
Source0: http://fedorahosted.org/releases/l/i/livecd/%{name}-%{version}.tar.bz2
# Drop the requirements for grub2-efi and shim: breaks 32-bit compose
# and not needed as we have them in comps
Patch0: 0001-Set-repo.gpgkey-when-provided-in-kickstart.patch
Patch1: 0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Requires: python-imgcreate = %{epoch}:%{version}-%{release}
Requires: mkisofs
@ -78,6 +80,9 @@ like live image or appliances.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%build
make

Write Preview
Loading…
Cancel
Save