From f2edc02caca90da1df943d96dd068bf0e32fc17c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 21 Apr 2016 02:29:09 +0200 Subject: [PATCH] lorax, pungi: pass gpgkey info from pungi to lorax Since lorax is running as a separate process, it no longer use repositories objects setup by pykickstart (which is already patched to support gpgkey). This means we need somehow pass that info, otherwise packages will not be verified. QubesOS/qubes-issues#1807 --- ...low-specify-gpg-key-for-a-repository.patch | 66 +++++++++++++++++++ lorax/0002-verify-packages-signature.patch | 48 ++++++++++++++ lorax/lorax.spec | 4 ++ pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch | 48 ++++++++++++++ pungi/pungi.spec | 2 + 5 files changed, 168 insertions(+) create mode 100644 lorax/0001-Allow-specify-gpg-key-for-a-repository.patch create mode 100644 lorax/0002-verify-packages-signature.patch create mode 100644 pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch diff --git a/lorax/0001-Allow-specify-gpg-key-for-a-repository.patch b/lorax/0001-Allow-specify-gpg-key-for-a-repository.patch new file mode 100644 index 0000000..f9fb9de --- /dev/null +++ b/lorax/0001-Allow-specify-gpg-key-for-a-repository.patch @@ -0,0 +1,66 @@ +From 7adfe384c4eea406ec9c4d2445ebac1a3e986d05 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Thu, 21 Apr 2016 02:15:54 +0200 +Subject: [PATCH] Allow specify gpg key for a repository +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Quite hacky way, but current command line syntax doesn't support +additional per-repository settings. + +Signed-off-by: Marek Marczykowski-Górecki +--- + src/sbin/lorax | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/sbin/lorax b/src/sbin/lorax +index f92aeb9..831fc6b 100755 +--- a/src/sbin/lorax ++++ b/src/sbin/lorax +@@ -60,13 +60,13 @@ def main(args): + required.add_argument("-p", "--product", help="product name", required=True, metavar="STRING") + required.add_argument("-v", "--version", help="version identifier", required=True, metavar="STRING") + required.add_argument("-r", "--release", help="release information", required=True, metavar="STRING") +- required.add_argument("-s", "--source", help="source repository (may be listed multiple times)", ++ required.add_argument("-s", "--source", help="source repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification", + metavar="REPOSITORY", action="append", default=[], required=True) + + # optional arguments + optional = parser.add_argument_group("optional arguments") + optional.add_argument("-m", "--mirrorlist", +- help="mirrorlist repository (may be listed multiple times)", ++ help="mirrorlist repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification", + metavar="REPOSITORY", action="append", default=[]) + optional.add_argument("-t", "--variant", + help="variant name", metavar="STRING") +@@ -274,6 +274,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None, + continue + repo_name = "lorax-repo-%d" % i + repo = dnf.repo.Repo(repo_name, cachedir) ++ if '(' in r and ')' in r: ++ assert r[-1] == ')' ++ r, gpgkey = r[:-1].split('(') ++ repo.gpgkey = [gpgkey] ++ repo.gpgcheck = True + repo.baseurl = [r] + if proxy: + repo.proxy = proxy +@@ -294,6 +299,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None, + continue + repo_name = "lorax-mirrorlist-%d" % i + repo = dnf.repo.Repo(repo_name, cachedir) ++ if '(' in r and ')' in r: ++ assert r[-1] == ')' ++ r, gpgkey = r[:-1].split('(') ++ repo.gpgkey = [gpgkey] ++ repo.gpgcheck = True + repo.mirrorlist = r + if proxy: + repo.proxy = proxy +-- +2.1.0 + diff --git a/lorax/0002-verify-packages-signature.patch b/lorax/0002-verify-packages-signature.patch new file mode 100644 index 0000000..fa5b9c0 --- /dev/null +++ b/lorax/0002-verify-packages-signature.patch @@ -0,0 +1,48 @@ +From 78f834f8d5b5f1ff56e04bb2b40cbb4fc4c21a12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Thu, 21 Apr 2016 13:46:33 +0200 +Subject: [PATCH] verify packages signature +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Signed-off-by: Marek Marczykowski-Górecki +--- + src/pylorax/ltmpl.py | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/pylorax/ltmpl.py b/src/pylorax/ltmpl.py +index 7fc4d54..661790d 100644 +--- a/src/pylorax/ltmpl.py ++++ b/src/pylorax/ltmpl.py +@@ -578,6 +578,24 @@ class LoraxTemplateRunner(object): + logger.error("Failed to download the following packages: %s", e) + raise + ++ try: ++ for po in pkgs_to_download: ++ # before doing anything with the package, verify its signature ++ result, errmsg = self.dbo.sigCheckPkg(po) ++ if result == 0: ++ # Verified ok, or verify not req'd ++ pass ++ elif result == 1: ++ # keys are provided through kickstart, so treat this as consent ++ # for importing them ++ self.dbo.getKeyForPackage(po, lambda x, y, z: True) ++ else: ++ # Fatal error ++ raise dnf.exceptions.Error(errmsg) ++ except dnf.exceptions.Error as e: ++ logger.error("Failed to verify signature: %s", e) ++ raise ++ + logger.info("Preparing transaction from installation source") + try: + display = LoraxRpmCallback() +-- +2.1.0 + diff --git a/lorax/lorax.spec b/lorax/lorax.spec index 2b4a114..5cf99f3 100644 --- a/lorax/lorax.spec +++ b/lorax/lorax.spec @@ -18,6 +18,8 @@ URL: https://github.com/rhinstaller/lorax # tito build --tgz Source0: %{name}-%{version}.tar.gz Patch0: Drop-multiprocessing-for-do_transaction-1208296.patch +Patch1: 0001-Allow-specify-gpg-key-for-a-repository.patch +Patch2: 0002-verify-packages-signature.patch BuildRequires: python3-devel BuildRequires: python3-pocketlint >= 0.5 @@ -110,6 +112,8 @@ to run Anaconda. %setup -q -n %{name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build diff --git a/pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch b/pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch new file mode 100644 index 0000000..6a56a99 --- /dev/null +++ b/pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch @@ -0,0 +1,48 @@ +From 3599db0a7bb047ac482eef45b0885ff8d8318d8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Wed, 20 Apr 2016 03:06:02 +0200 +Subject: [PATCH] Hacky way to pass gpgkey to lorax +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Organization: Invisible Things Lab +Cc: Marek Marczykowski-Górecki + +Since lorax is running in separate process, it no longer use repo +objects initialized by pungi. Because of this, gpgkey+gpgcheck must be +passed down some other way. Appending it to the repository URL is awful, +but is effective: + - if lorax version used doesn't support verification, it will fail + (good) + - it binds key to the repository + +Signed-off-by: Marek Marczykowski-Górecki +--- + pungi/gather.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/pungi/gather.py b/pungi/gather.py +index 66212d2..6be45e6 100644 +--- a/pungi/gather.py ++++ b/pungi/gather.py +@@ -1413,13 +1413,14 @@ class Pungi(PungiBase): + pass + + for repo in self.ksparser.handler.repo.repoList: ++ url_suffix = '({})'.format(repo.gpgkey) if repo.gpgkey else '' + if repo.mirrorlist: + # The not bool() thing is because pykickstart is yes/no on + # whether to ignore groups, but yum is a yes/no on whether to + # include groups. Awkward. +- cmd.extend(["--mirrorlist", repo.mirrorlist]) ++ cmd.extend(["--mirrorlist", repo.mirrorlist + url_suffix]) + else: +- cmd.extend(["--source", repo.baseurl]) ++ cmd.extend(["--source", repo.baseurl + url_suffix]) + + # Add the repo in the destdir to our yum object + cmd.extend(["--source", "file://%s" % self.topdir]) +-- +2.1.0 + diff --git a/pungi/pungi.spec b/pungi/pungi.spec index a203817..3422f58 100644 --- a/pungi/pungi.spec +++ b/pungi/pungi.spec @@ -14,6 +14,7 @@ Source0: https://fedorahosted.org/pungi/attachment/wiki/%{version}/%{name Patch1: 0001-Set-repository-gpgkey-option.patch Patch2: 0002-Verify-downloaded-packages.patch Patch3: disable-efi.patch +Patch4: Hacky-way-to-pass-gpgkey-to-lorax.patch #Patch5: fix-recursive-partition-table-on-iso-image.patch #Patch6: disable-upgrade.patch BuildRequires: python-nose, python-nose-cov, python-mock @@ -53,6 +54,7 @@ A tool to create anaconda based installation trees/isos of a set of rpms. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 #%%patch5 -p1 #%%patch6 -p1