From 10b346a1e1f355a571b77e473b49a89ae98bd005 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 28 Sep 2015 20:24:54 +0200 Subject: [PATCH] pungi: verify downloaded (but not installed packages) This way all the packages are verified, not only those installed in installer image (by lorax). This makes manual rpm --checksig redundant. --- Makefile | 1 - .../support-verify-downloaded-packages.patch | 25 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 514a7b0..8dfc2ed 100644 --- a/Makefile +++ b/Makefile @@ -130,7 +130,6 @@ iso: createrepo -q -g ../../conf/comps-qubes.xml --update yum/qubes-dom0 mkdir -p work pushd work && pungi --name=Qubes $(PUNGI_OPTS) -c $(PWD)/conf/qubes-kickstart.cfg && popd - ./rpm_verify work/$(ISO_VERSION)/x86_64/os/Packages/*/*.rpm # Move result files to known-named directories mkdir -p build/ISO/qubes-x86_64/iso build/work mv work/$(ISO_VERSION)/x86_64/iso/*-DVD.iso build/ISO/qubes-x86_64/iso/ diff --git a/pungi/support-verify-downloaded-packages.patch b/pungi/support-verify-downloaded-packages.patch index 1c2003f..5f01eda 100644 --- a/pungi/support-verify-downloaded-packages.patch +++ b/pungi/support-verify-downloaded-packages.patch @@ -56,3 +56,28 @@ Index: pungi-3.03/src/pypungi/__init__.py self.logger.info('Getting sacks for arches %s' % self.valid_arches) self.ayum._getSacks(archlist=self.valid_arches) +diff --git a/src/pypungi/__init__.py b/src/pypungi/__init__.py +index fc6a7c7..72cfddf 100644 +--- a/src/pypungi/__init__.py ++++ b/src/pypungi/__init__.py +@@ -1096,6 +1096,20 @@ class Pungi(pypungi.PungiBase): + sys.exit(1) + + for po in polist: ++ # before doing anything with the package, verify its signature ++ result, errmsg = self.ayum.sigCheckPkg(po) ++ if result == 0: ++ # Verified ok, or verify not req'd ++ pass ++ elif result == 1: ++ # keys are provided through kickstart, so treat this as consent ++ # for importing them ++ self.ayum.getKeyForPackage(po, lambda x, y, z: True) ++ else: ++ # Fatal error ++ self.logger.error(errmsg) ++ sys.exit(1) ++ + basename = os.path.basename(po.relativepath) + + local = po.localPkg()