QubesOS
/
qubes-installer-qubes-os
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

lorax, pungi: pass gpgkey info from pungi to lorax

Browse Source 
Since lorax is running as a separate process, it no longer use
repositories objects setup by pykickstart (which is already patched to
support gpgkey). This means we need somehow pass that info, otherwise
packages will not be verified.

QubesOS/qubes-issues#1807
pull/2/head
Marek Marczykowski-Górecki 8 years ago
parent 32a75c4f78
commit f2edc02cac
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
5 changed files with 168 additions and 0 deletions
Show Stats Download Patch File Download Diff File

66
lorax/0001-Allow-specify-gpg-key-for-a-repository.patch
Unescape View File

@ -0,0 +1,66 @@
From 7adfe384c4eea406ec9c4d2445ebac1a3e986d05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Thu, 21 Apr 2016 02:15:54 +0200
Subject: [PATCH] Allow specify gpg key for a repository
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Quite hacky way, but current command line syntax doesn't support
additional per-repository settings.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
src/sbin/lorax | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/sbin/lorax b/src/sbin/lorax
index f92aeb9..831fc6b 100755
--- a/src/sbin/lorax
+++ b/src/sbin/lorax
@@ -60,13 +60,13 @@ def main(args):
required.add_argument("-p", "--product", help="product name", required=True, metavar="STRING")
required.add_argument("-v", "--version", help="version identifier", required=True, metavar="STRING")
required.add_argument("-r", "--release", help="release information", required=True, metavar="STRING")
- required.add_argument("-s", "--source", help="source repository (may be listed multiple times)",
+ required.add_argument("-s", "--source", help="source repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification",
metavar="REPOSITORY", action="append", default=[], required=True)
# optional arguments
optional = parser.add_argument_group("optional arguments")
optional.add_argument("-m", "--mirrorlist",
- help="mirrorlist repository (may be listed multiple times)",
+ help="mirrorlist repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification",
metavar="REPOSITORY", action="append", default=[])
optional.add_argument("-t", "--variant",
help="variant name", metavar="STRING")
@@ -274,6 +274,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None,
continue
repo_name = "lorax-repo-%d" % i
repo = dnf.repo.Repo(repo_name, cachedir)
+ if '(' in r and ')' in r:
+ assert r[-1] == ')'
+ r, gpgkey = r[:-1].split('(')
+ repo.gpgkey = [gpgkey]
+ repo.gpgcheck = True
repo.baseurl = [r]
if proxy:
repo.proxy = proxy
@@ -294,6 +299,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None,
continue
repo_name = "lorax-mirrorlist-%d" % i
repo = dnf.repo.Repo(repo_name, cachedir)
+ if '(' in r and ')' in r:
+ assert r[-1] == ')'
+ r, gpgkey = r[:-1].split('(')
+ repo.gpgkey = [gpgkey]
+ repo.gpgcheck = True
repo.mirrorlist = r
if proxy:
repo.proxy = proxy
--
2.1.0

48
lorax/0002-verify-packages-signature.patch
Unescape View File

@ -0,0 +1,48 @@
From 78f834f8d5b5f1ff56e04bb2b40cbb4fc4c21a12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Thu, 21 Apr 2016 13:46:33 +0200
Subject: [PATCH] verify packages signature
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
src/pylorax/ltmpl.py | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/pylorax/ltmpl.py b/src/pylorax/ltmpl.py
index 7fc4d54..661790d 100644
--- a/src/pylorax/ltmpl.py
+++ b/src/pylorax/ltmpl.py
@@ -578,6 +578,24 @@ class LoraxTemplateRunner(object):
logger.error("Failed to download the following packages: %s", e)
raise
+ try:
+ for po in pkgs_to_download:
+ # before doing anything with the package, verify its signature
+ result, errmsg = self.dbo.sigCheckPkg(po)
+ if result == 0:
+ # Verified ok, or verify not req'd
+ pass
+ elif result == 1:
+ # keys are provided through kickstart, so treat this as consent
+ # for importing them
+ self.dbo.getKeyForPackage(po, lambda x, y, z: True)
+ else:
+ # Fatal error
+ raise dnf.exceptions.Error(errmsg)
+ except dnf.exceptions.Error as e:
+ logger.error("Failed to verify signature: %s", e)
+ raise
+
logger.info("Preparing transaction from installation source")
try:
display = LoraxRpmCallback()
--
2.1.0

4
lorax/lorax.spec
Unescape View File

@ -18,6 +18,8 @@ URL: https://github.com/rhinstaller/lorax
# tito build --tgz
Source0: %{name}-%{version}.tar.gz
Patch0: Drop-multiprocessing-for-do_transaction-1208296.patch
Patch1: 0001-Allow-specify-gpg-key-for-a-repository.patch
Patch2: 0002-verify-packages-signature.patch
BuildRequires: python3-devel
BuildRequires: python3-pocketlint >= 0.5
@ -110,6 +112,8 @@ to run Anaconda.
%setup -q -n %{name}-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build

48
pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch
Unescape View File

@ -0,0 +1,48 @@
From 3599db0a7bb047ac482eef45b0885ff8d8318d8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Wed, 20 Apr 2016 03:06:02 +0200
Subject: [PATCH] Hacky way to pass gpgkey to lorax
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Since lorax is running in separate process, it no longer use repo
objects initialized by pungi. Because of this, gpgkey+gpgcheck must be
passed down some other way. Appending it to the repository URL is awful,
but is effective:
- if lorax version used doesn't support verification, it will fail
(good)
- it binds key to the repository
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
pungi/gather.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/pungi/gather.py b/pungi/gather.py
index 66212d2..6be45e6 100644
--- a/pungi/gather.py
+++ b/pungi/gather.py
@@ -1413,13 +1413,14 @@ class Pungi(PungiBase):
pass
for repo in self.ksparser.handler.repo.repoList:
+ url_suffix = '({})'.format(repo.gpgkey) if repo.gpgkey else ''
if repo.mirrorlist:
# The not bool() thing is because pykickstart is yes/no on
# whether to ignore groups, but yum is a yes/no on whether to
# include groups. Awkward.
- cmd.extend(["--mirrorlist", repo.mirrorlist])
+ cmd.extend(["--mirrorlist", repo.mirrorlist + url_suffix])
else:
- cmd.extend(["--source", repo.baseurl])
+ cmd.extend(["--source", repo.baseurl + url_suffix])
# Add the repo in the destdir to our yum object
cmd.extend(["--source", "file://%s" % self.topdir])
--
2.1.0

2
pungi/pungi.spec
Unescape View File

@ -14,6 +14,7 @@ Source0: https://fedorahosted.org/pungi/attachment/wiki/%{version}/%{name
Patch1: 0001-Set-repository-gpgkey-option.patch
Patch2: 0002-Verify-downloaded-packages.patch
Patch3: disable-efi.patch
Patch4: Hacky-way-to-pass-gpgkey-to-lorax.patch
#Patch5: fix-recursive-partition-table-on-iso-image.patch
#Patch6: disable-upgrade.patch
BuildRequires: python-nose, python-nose-cov, python-mock
@ -53,6 +54,7 @@ A tool to create anaconda based installation trees/isos of a set of rpms.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
#%%patch5 -p1
#%%patch6 -p1

Write Preview
Loading…
Cancel
Save