diff --git a/lorax/0001-Allow-specify-gpg-key-for-a-repository.patch b/lorax/0001-Allow-specify-gpg-key-for-a-repository.patch new file mode 100644 index 0000000..f9fb9de --- /dev/null +++ b/lorax/0001-Allow-specify-gpg-key-for-a-repository.patch @@ -0,0 +1,66 @@ +From 7adfe384c4eea406ec9c4d2445ebac1a3e986d05 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Thu, 21 Apr 2016 02:15:54 +0200 +Subject: [PATCH] Allow specify gpg key for a repository +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Quite hacky way, but current command line syntax doesn't support +additional per-repository settings. + +Signed-off-by: Marek Marczykowski-Górecki +--- + src/sbin/lorax | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/sbin/lorax b/src/sbin/lorax +index f92aeb9..831fc6b 100755 +--- a/src/sbin/lorax ++++ b/src/sbin/lorax +@@ -60,13 +60,13 @@ def main(args): + required.add_argument("-p", "--product", help="product name", required=True, metavar="STRING") + required.add_argument("-v", "--version", help="version identifier", required=True, metavar="STRING") + required.add_argument("-r", "--release", help="release information", required=True, metavar="STRING") +- required.add_argument("-s", "--source", help="source repository (may be listed multiple times)", ++ required.add_argument("-s", "--source", help="source repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification", + metavar="REPOSITORY", action="append", default=[], required=True) + + # optional arguments + optional = parser.add_argument_group("optional arguments") + optional.add_argument("-m", "--mirrorlist", +- help="mirrorlist repository (may be listed multiple times)", ++ help="mirrorlist repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification", + metavar="REPOSITORY", action="append", default=[]) + optional.add_argument("-t", "--variant", + help="variant name", metavar="STRING") +@@ -274,6 +274,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None, + continue + repo_name = "lorax-repo-%d" % i + repo = dnf.repo.Repo(repo_name, cachedir) ++ if '(' in r and ')' in r: ++ assert r[-1] == ')' ++ r, gpgkey = r[:-1].split('(') ++ repo.gpgkey = [gpgkey] ++ repo.gpgcheck = True + repo.baseurl = [r] + if proxy: + repo.proxy = proxy +@@ -294,6 +299,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None, + continue + repo_name = "lorax-mirrorlist-%d" % i + repo = dnf.repo.Repo(repo_name, cachedir) ++ if '(' in r and ')' in r: ++ assert r[-1] == ')' ++ r, gpgkey = r[:-1].split('(') ++ repo.gpgkey = [gpgkey] ++ repo.gpgcheck = True + repo.mirrorlist = r + if proxy: + repo.proxy = proxy +-- +2.1.0 + diff --git a/lorax/0002-verify-packages-signature.patch b/lorax/0002-verify-packages-signature.patch new file mode 100644 index 0000000..fa5b9c0 --- /dev/null +++ b/lorax/0002-verify-packages-signature.patch @@ -0,0 +1,48 @@ +From 78f834f8d5b5f1ff56e04bb2b40cbb4fc4c21a12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Thu, 21 Apr 2016 13:46:33 +0200 +Subject: [PATCH] verify packages signature +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Signed-off-by: Marek Marczykowski-Górecki +--- + src/pylorax/ltmpl.py | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/pylorax/ltmpl.py b/src/pylorax/ltmpl.py +index 7fc4d54..661790d 100644 +--- a/src/pylorax/ltmpl.py ++++ b/src/pylorax/ltmpl.py +@@ -578,6 +578,24 @@ class LoraxTemplateRunner(object): + logger.error("Failed to download the following packages: %s", e) + raise + ++ try: ++ for po in pkgs_to_download: ++ # before doing anything with the package, verify its signature ++ result, errmsg = self.dbo.sigCheckPkg(po) ++ if result == 0: ++ # Verified ok, or verify not req'd ++ pass ++ elif result == 1: ++ # keys are provided through kickstart, so treat this as consent ++ # for importing them ++ self.dbo.getKeyForPackage(po, lambda x, y, z: True) ++ else: ++ # Fatal error ++ raise dnf.exceptions.Error(errmsg) ++ except dnf.exceptions.Error as e: ++ logger.error("Failed to verify signature: %s", e) ++ raise ++ + logger.info("Preparing transaction from installation source") + try: + display = LoraxRpmCallback() +-- +2.1.0 + diff --git a/lorax/lorax.spec b/lorax/lorax.spec index 2b4a114..5cf99f3 100644 --- a/lorax/lorax.spec +++ b/lorax/lorax.spec @@ -18,6 +18,8 @@ URL: https://github.com/rhinstaller/lorax # tito build --tgz Source0: %{name}-%{version}.tar.gz Patch0: Drop-multiprocessing-for-do_transaction-1208296.patch +Patch1: 0001-Allow-specify-gpg-key-for-a-repository.patch +Patch2: 0002-verify-packages-signature.patch BuildRequires: python3-devel BuildRequires: python3-pocketlint >= 0.5 @@ -110,6 +112,8 @@ to run Anaconda. %setup -q -n %{name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build diff --git a/pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch b/pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch new file mode 100644 index 0000000..6a56a99 --- /dev/null +++ b/pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch @@ -0,0 +1,48 @@ +From 3599db0a7bb047ac482eef45b0885ff8d8318d8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Wed, 20 Apr 2016 03:06:02 +0200 +Subject: [PATCH] Hacky way to pass gpgkey to lorax +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Since lorax is running in separate process, it no longer use repo +objects initialized by pungi. Because of this, gpgkey+gpgcheck must be +passed down some other way. Appending it to the repository URL is awful, +but is effective: + - if lorax version used doesn't support verification, it will fail + (good) + - it binds key to the repository + +Signed-off-by: Marek Marczykowski-Górecki +--- + pungi/gather.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/pungi/gather.py b/pungi/gather.py +index 66212d2..6be45e6 100644 +--- a/pungi/gather.py ++++ b/pungi/gather.py +@@ -1413,13 +1413,14 @@ class Pungi(PungiBase): + pass + + for repo in self.ksparser.handler.repo.repoList: ++ url_suffix = '({})'.format(repo.gpgkey) if repo.gpgkey else '' + if repo.mirrorlist: + # The not bool() thing is because pykickstart is yes/no on + # whether to ignore groups, but yum is a yes/no on whether to + # include groups. Awkward. +- cmd.extend(["--mirrorlist", repo.mirrorlist]) ++ cmd.extend(["--mirrorlist", repo.mirrorlist + url_suffix]) + else: +- cmd.extend(["--source", repo.baseurl]) ++ cmd.extend(["--source", repo.baseurl + url_suffix]) + + # Add the repo in the destdir to our yum object + cmd.extend(["--source", "file://%s" % self.topdir]) +-- +2.1.0 + diff --git a/pungi/pungi.spec b/pungi/pungi.spec index a203817..3422f58 100644 --- a/pungi/pungi.spec +++ b/pungi/pungi.spec @@ -14,6 +14,7 @@ Source0: https://fedorahosted.org/pungi/attachment/wiki/%{version}/%{name Patch1: 0001-Set-repository-gpgkey-option.patch Patch2: 0002-Verify-downloaded-packages.patch Patch3: disable-efi.patch +Patch4: Hacky-way-to-pass-gpgkey-to-lorax.patch #Patch5: fix-recursive-partition-table-on-iso-image.patch #Patch6: disable-upgrade.patch BuildRequires: python-nose, python-nose-cov, python-mock @@ -53,6 +54,7 @@ A tool to create anaconda based installation trees/isos of a set of rpms. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 #%%patch5 -p1 #%%patch6 -p1