livecd-tools: apply patches for verifying downloaded packages

Livecd-creator is one more example of program which happily installs
whatever downloads from the network, without any verification
(repository metadata consistency doesn't count)...

Patches sent upstream here:
https://github.com/rhinstaller/livecd-tools/pull/14

livecd-tools/0001-Set-repo.gpgkey-when-provided-in-kickstart.patch

@@ -0,0 +1,57 @@
+From 2055ba32ac4751a52da1ad600cb820eea76cd8b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Fri, 7 Aug 2015 03:26:30 +0200
+Subject: [PATCH 1/2] Set repo.gpgkey when provided in kickstart
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Organization: Invisible Things Lab
+Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+---
+ imgcreate/creator.py   | 6 +++++-
+ imgcreate/kickstart.py | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/imgcreate/creator.py b/imgcreate/creator.py
+index 42faf6f..c3ed346 100644
+--- a/imgcreate/creator.py
++++ b/imgcreate/creator.py
+@@ -627,7 +627,7 @@ class ImageCreator(object):
+         ayum.setup(yum_conf, self._instroot, cacheonly=self.cacheonly)
+ 
+         for repo in kickstart.get_repos(self.ks, repo_urls):
+-            (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify) = repo
++            (name, baseurl, mirrorlist, proxy, inc, exc, cost, sslverify, gpgkey) = repo
+ 
+             yr = ayum.addRepository(name, baseurl, mirrorlist)
+             if inc:
+@@ -639,6 +639,10 @@ class ImageCreator(object):
+             if cost is not None:
+                 yr.cost = cost
+             yr.sslverify = sslverify
++            if gpgkey:
++                yr.gpgcheck = True
++                yr.gpgkey = yum.parser.varReplace(gpgkey, ayum.conf.yumvar)
++
+         ayum.setup(yum_conf, self._instroot)
+ 
+         if kickstart.exclude_docs(self.ks):
+diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
+index 1059801..b8b3c82 100644
+--- a/imgcreate/kickstart.py
++++ b/imgcreate/kickstart.py
+@@ -551,7 +551,7 @@ def get_repos(ks, repo_urls = {}):
+ 
+         if repos.has_key(repo.name):
+             logging.warn("Overriding already specified repo %s" %(repo.name,))
+-        repos[repo.name] = (repo.name, baseurl, mirrorlist, proxy, inc, exc, repo.cost, sslverify)
++        repos[repo.name] = (repo.name, baseurl, mirrorlist, proxy, inc, exc, repo.cost, sslverify, repo.gpgkey)
+ 
+     return repos.values()
+ 
+-- 
+2.1.0
+

livecd-tools/0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch

@@ -0,0 +1,80 @@
+From ad81fa7d70111c2d29cb44a17c3511c49538d66d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Sat, 26 Sep 2015 06:14:05 +0200
+Subject: [PATCH 2/2] Actually use repo.gpgkey - verify signatures before
+ installing the packages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Organization: Invisible Things Lab
+Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+---
+ imgcreate/yuminst.py | 35 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/imgcreate/yuminst.py b/imgcreate/yuminst.py
+index 22e840c..17f4774 100644
+--- a/imgcreate/yuminst.py
++++ b/imgcreate/yuminst.py
+@@ -178,7 +178,7 @@ class LiveCDYum(yum.YumBase):
+         repo.metadata_expire = 0
+         repo.mirrorlist_expire = 0
+         repo.timestamp_check = 0
+-        # disable gpg check???
++        # disable gpg by default, enable it later when gpgkey specified
+         repo.gpgcheck = 0
+         repo.enable()
+         repo.setup(self.conf.cache)
+@@ -195,6 +195,33 @@ class LiveCDYum(yum.YumBase):
+                     return True
+         return False
+ 
++    def gpgsigcheck(self, pkgs):
++        """Perform GPG signature verification on the given packages,
++        installing keys if possible.
++
++        :param pkgs: a list of package objects to verify the GPG
++           signatures of
++        :return: non-zero if execution should stop due to an error
++        :raises: Will raise :class:`CreatorError` if there's a problem
++        """
++        for po in pkgs:
++            result, errmsg = self.sigCheckPkg(po)
++
++            if result == 0:
++                # Verified ok, or verify not req'd
++                continue
++
++            elif result == 1:
++                # keys are provided through kickstart, so treat this as consent
++                # for importing them
++                self.getKeyForPackage(po, lambda x, y, z: True)
++
++            else:
++                # Fatal error
++                raise CreatorError(errmsg)
++
++        return 0
++
+ 
+     def runInstall(self):
+         os.environ["HOME"] = "/"
+@@ -211,7 +238,11 @@ class LiveCDYum(yum.YumBase):
+ 
+         dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers()))
+         self.downloadPkgs(dlpkgs)
+-        # FIXME: sigcheck?
++
++        # Check GPG signatures
++        if self.gpgsigcheck(dlpkgs) != 0:
++            raise CreatorError("GPG signature verification failed")
++
+ 
+         self.initActionTs()
+         self.populateTs(keepold=0)
+-- 
+2.1.0
+

livecd-tools/livecd-tools.spec

@@ -23,6 +23,8 @@ URL: http://git.fedorahosted.org/git/livecd
 Source0: http://fedorahosted.org/releases/l/i/livecd/%{name}-%{version}.tar.bz2
 # Drop the requirements for grub2-efi and shim: breaks 32-bit compose
 # and not needed as we have them in comps
+Patch0: 0001-Set-repo.gpgkey-when-provided-in-kickstart.patch
+Patch1: 0002-Actually-use-repo.gpgkey-verify-signatures-before-in.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 Requires: python-imgcreate = %{epoch}:%{version}-%{release}
 Requires: mkisofs
@@ -78,6 +80,9 @@ like live image or appliances.
 %prep
 %setup -q
 
+%patch0 -p1
+%patch1 -p1
+
 %build
 make