User rpm_verify instead of repeated manual parsing of rpm --checksign output

Additionally, rpm_verify understands the NO_SIGN enviroment variable.

Makefile

@@ -92,13 +92,13 @@ RPMS = rpm/noarch/qubes-logos-$(QBSLOGOS_VERSION)-*.rpm \
 
 update-repo:
 	ln -f $(RPMS) yum/installer/rpm/
-	export NO_SIGN
 	(cd yum && ./update_repo.sh)
 
 iso:
+	cp rpm_verify /usr/local/bin/
 	ln -sf `pwd` /tmp/qubes-installer
-	revisor --cli --config=conf/qubes-install.conf --model=qubes-x86_64 --install-dvd
+	NO_SIGN=$(NO_SIGN) revisor --cli --config=conf/qubes-install.conf --model=qubes-x86_64 --install-dvd -d99
-	rpm --checksig build/work/revisor-install/R1-*/qubes-x86_64/x86_64/os/Packages/*.rpm | grep -v pgp && exit 1 || true
+	rpm_verify build/work/revisor-install/R1-*/qubes-x86_64/x86_64/os/Packages/*.rpm
 
 clean:
 	rm -fr rpm/SOURCES/*.bz2

anaconda/scripts/buildinstall

@@ -202,7 +202,7 @@ else
     BASEARCH=`python -c "import rpmUtils.arch; \
       print rpmUtils.arch.getBaseArch(myarch=rpmUtils.arch.getCanonArch(skipRpmPlatform = True));"`
     yumdownloader -c $yumconf anaconda || exit 1
-    rpm --checksig anaconda*rpm | grep -v pgp && exit 1
+    rpm_verify anaconda*rpm || exit 1
     rpm2cpio anaconda*rpm | cpio --quiet -iumd './usr*'
     rm -f anaconda*rpm
     popd

anaconda/scripts/mk-images

@@ -1078,7 +1078,7 @@ for KERNELARCH in $arches; do
 
         yumdownloader -c $yumconf --archlist=$KERNELARCH $kpackage
         kpackage="$kpackage.rpm"
-        rpm --checksig $kpackage.rpm | grep -v pgp && exit 1
+        rpm_verify $kpackage.rpm || exit 1
         if [ ! -f "$kpackage" ]; then
             echo "kernel ($kernelvers) doesn't exist for $KERNELARCH.  skipping"
             continue
@@ -1103,14 +1103,14 @@ for KERNELARCH in $arches; do
         # expand out any available firmware too
         for p in $(repoquery -c $yumconf '*firmware*') ; do
             yumdownloader -c $yumconf $p
-            rpm --checksig *firmware*.rpm | grep -v pgp && exit 1
+            rpm_verify *firmware*.rpm || exit 1
             rpm2cpio *firmware*.rpm | (cd $KERNELROOT; cpio --quiet -iumd)
             rm -f *firmware*.rpm
         done
         # and get XEN Hypervisor
         for p in $(repoquery -c $yumconf 'xen-hypervisor') ; do
             yumdownloader -c $yumconf $p
-            rpm --checksig xen-hypervisor*.rpm | grep -v pgp && exit 1
+            rpm_verify xen-hypervisor*.rpm || exit 1
             rpm2cpio xen-hypervisor*.rpm | (cd $KERNELROOT; cpio --quiet -iumd)
             rm -f xen-hypervisor*.rpm
         done

anaconda/scripts/mk-images.efi

@@ -169,7 +169,7 @@ prepareEfiTree() {
     ydcmd="yumdownloader -c $yumconf $grubpkg"
     echo "(grubpkg) $ydcmd"
     $ydcmd
-    rpm --checksig $grubpkg.rpm | grep -v pgp && exit 1
+    rpm_verify $grubpkg.rpm || exit 1
     rpm2cpio $grubpkg.rpm | (cd $KERNELROOT; cpio --quiet -iumd)
     cp -av $KERNELROOT/boot/efi/EFI/redhat/grub.efi $MBD_BOOTTREE_TMP/EFI/BOOT/grub.efi
 
@@ -196,7 +196,7 @@ prepareEfiTree() {
     ydcmd="yumdownloader -c ${yumconf} ${artpkg}"
     echo "(artpkg) $ydcmd"
     $ydcmd
-    rpm --checksig ${artpkg}.rpm | grep -v pgp && exit 1
+    rpm_verify ${artpkg}.rpm || exit 1
     rpm2cpio ${artpkg}.rpm | (cd $KERNELROOT; cpio --quiet -iumd)
     cp -av $KERNELROOT/boot/grub/splash.xpm.gz $MBD_BOOTTREE_TMP/$SPLASHPATH
 

revisor/F13-buildinstall

@@ -213,7 +213,7 @@ else
     BASEARCH=`python -c "import rpmUtils.arch; \
       print rpmUtils.arch.getBaseArch(myarch=rpmUtils.arch.getCanonArch(skipRpmPlatform = True));"`
     yumdownloader -c $yumconf anaconda || exit 1
-    rpm --checksig anaconda*rpm | grep -v pgp && exit 1
+    rpm_verify anaconda*rpm || exit 1
     rpm2cpio anaconda*rpm | cpio --quiet -iumd './usr*'
     rm -f anaconda*rpm
     popd

rpm_verify

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+verify_rpm() {
+RPM=$1
+
+if ! rpm --checksig $1 > /dev/null; then
+    echo "Wrong PGP signature!"
+    exit 1
+fi
+
+# Even if rpm returns success (ret = 0) that doesn't
+# mean that the rpm has been signed! It might simply
+# have no PGP signature at all. Yes, stupidity...
+
+if ! rpm --checksig $1 | grep pgp > /dev/null ; then
+    echo "No PGP signature found!"
+
+    if [ "$NO_SIGN" == "1" ] ; then
+        # When signing is disabed in qubes-builder
+        # This is used to build unsigned ISO
+        # This should only be used for testing builds
+        exit 0
+    fi
+
+    exit 2
+fi
+}
+
+
+echo "NO_SIGN = $NO_SIGN"
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <rpm file>"
+    exit 1
+fi
+
+for FILE in "$@"; do
+        echo -n "Veryfing: $FILE... "
+        verify_rpm $FILE && echo OK.
+done
+

yum/update_repo.sh

@@ -4,7 +4,7 @@
 # $1 -- path to rpm dir
 check_repo()
 {
-    if rpm --checksig $1/*.rpm | grep -v pgp > /dev/null ; then
+    if ! ../rpm_verify $1/*.rpm ; then
         echo "ERROR: There are unsigned RPM packages in $1 repo:"
         echo "---------------------------------------"
         rpm --checksig $1/*.rpm | grep -v pgp 
@@ -28,9 +28,7 @@ for repo in dom0-updates installer qubes-dom0 ; do
         echo "Empty repo, skipping..."
         continue
     fi
-    if [ x$NO_SIGN != x"1" ]; then
+    check_repo $repo/rpm -o $repo/repodata
-        check_repo $repo/rpm -o $repo/repodata || continue
-    fi
     update_repo $repo -o $repo/repodata
 done