diff --git a/livecd-tools/0001-Set-repo.gpgkey-when-provided-in-kickstart.patch b/livecd-tools/0001-Set-repo.gpgkey-when-provided-in-kickstart.patch new file mode 100644 index 0000000..45d6ca9 --- /dev/null +++ b/livecd-tools/0001-Set-repo.gpgkey-when-provided-in-kickstart.patch @@ -0,0 +1,57 @@ +From 2055ba32ac4751a52da1ad600cb820eea76cd8b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Fri, 7 Aug 2015 03:26:30 +0200 +Subject: [PATCH 1/2] Set repo.gpgkey when provided in kickstart +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Signed-off-by: Marek Marczykowski-Górecki +--- + imgcreate/creator.py | 6 +++++- + imgcreate/kickstart.py | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/imgcreate/creator.py b/imgcreate/creator.py +index 42faf6f..c3ed346 100644 +--- a/imgcreate/creator.py ++++ b/imgcreate/creator.py +@@ -627,7 +627,7 @@ class ImageCreator(object): + ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly) + + for repo in kickstart.get_repos(self.ks, repo_urls): +- (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo ++ (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify, gpgkey) = repo + + yr = ayum.addRepository(name, baseurl, mirrorlist) + if inc: +@@ -639,6 +639,10 @@ class ImageCreator(object): + if cost is not None: + yr.cost = cost + yr.sslverify = sslverify ++ if gpgkey: ++ yr.gpgcheck = True ++ yr.gpgkey = yum.parser.varReplace(gpgkey, ayum.conf.yumvar) ++ + ayum.setup(yum_conf, self._instroot) + + if kickstart.exclude_docs(self.ks): +diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py +index 1059801..b8b3c82 100644 +--- a/imgcreate/kickstart.py ++++ b/imgcreate/kickstart.py +@@ -551,7 +551,7 @@ def get_repos(ks, repo_urls = {}): + + if repos.has_key(repo.name): + logging.warn("Overriding already specified repo %s" %(repo.name,)) +- repos[repo.name] = (repo.name, baseurl, mirrorlist, proxy, inc, exc, repo.cost, sslverify) ++ repos[repo.name] = (repo.name, baseurl, mirrorlist, proxy, inc, exc, repo.cost, sslverify, repo.gpgkey) + + return repos.values() + +-- +2.1.0 + diff --git a/livecd-tools/0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch b/livecd-tools/0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch new file mode 100644 index 0000000..d18fea1 --- /dev/null +++ b/livecd-tools/0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch @@ -0,0 +1,80 @@ +From ad81fa7d70111c2d29cb44a17c3511c49538d66d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Sat, 26 Sep 2015 06:14:05 +0200 +Subject: [PATCH 2/2] Actually use repo.gpgkey - verify signatures before + installing the packages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Signed-off-by: Marek Marczykowski-Górecki +--- + imgcreate/yuminst.py | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +diff --git a/imgcreate/yuminst.py b/imgcreate/yuminst.py +index 22e840c..17f4774 100644 +--- a/imgcreate/yuminst.py ++++ b/imgcreate/yuminst.py +@@ -178,7 +178,7 @@ class LiveCDYum(yum.YumBase): + repo.metadata_expire = 0 + repo.mirrorlist_expire = 0 + repo.timestamp_check = 0 +- # disable gpg check??? ++ # disable gpg by default, enable it later when gpgkey specified + repo.gpgcheck = 0 + repo.enable() + repo.setup(self.conf.cache) +@@ -195,6 +195,33 @@ class LiveCDYum(yum.YumBase): + return True + return False + ++ def gpgsigcheck(self, pkgs): ++ """Perform GPG signature verification on the given packages, ++ installing keys if possible. ++ ++ :param pkgs: a list of package objects to verify the GPG ++ signatures of ++ :return: non-zero if execution should stop due to an error ++ :raises: Will raise :class:`CreatorError` if there's a problem ++ """ ++ for po in pkgs: ++ result, errmsg = self.sigCheckPkg(po) ++ ++ if result == 0: ++ # Verified ok, or verify not req'd ++ continue ++ ++ elif result == 1: ++ # keys are provided through kickstart, so treat this as consent ++ # for importing them ++ self.getKeyForPackage(po, lambda x, y, z: True) ++ ++ else: ++ # Fatal error ++ raise CreatorError(errmsg) ++ ++ return 0 ++ + + def runInstall(self): + os.environ["HOME"] = "/" +@@ -211,7 +238,11 @@ class LiveCDYum(yum.YumBase): + + dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers())) + self.downloadPkgs(dlpkgs) +- # FIXME: sigcheck? ++ ++ # Check GPG signatures ++ if self.gpgsigcheck(dlpkgs) != 0: ++ raise CreatorError("GPG signature verification failed") ++ + + self.initActionTs() + self.populateTs(keepold=0) +-- +2.1.0 + diff --git a/livecd-tools/livecd-tools.spec b/livecd-tools/livecd-tools.spec index 06b84ac..2b8ed4b 100644 --- a/livecd-tools/livecd-tools.spec +++ b/livecd-tools/livecd-tools.spec @@ -23,6 +23,8 @@ URL: http://git.fedorahosted.org/git/livecd Source0: http://fedorahosted.org/releases/l/i/livecd/%{name}-%{version}.tar.bz2 # Drop the requirements for grub2-efi and shim: breaks 32-bit compose # and not needed as we have them in comps +Patch0: 0001-Set-repo.gpgkey-when-provided-in-kickstart.patch +Patch1: 0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Requires: python-imgcreate = %{epoch}:%{version}-%{release} Requires: mkisofs @@ -78,6 +80,9 @@ like live image or appliances. %prep %setup -q +%patch0 -p1 +%patch1 -p1 + %build make