lorax, pungi: pass gpgkey info from pungi to lorax
Since lorax is running as a separate process, it no longer use repositories objects setup by pykickstart (which is already patched to support gpgkey). This means we need somehow pass that info, otherwise packages will not be verified. QubesOS/qubes-issues#1807
This commit is contained in:
parent
32a75c4f78
commit
f2edc02cac
66
lorax/0001-Allow-specify-gpg-key-for-a-repository.patch
Normal file
66
lorax/0001-Allow-specify-gpg-key-for-a-repository.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
From 7adfe384c4eea406ec9c4d2445ebac1a3e986d05 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
||||||
|
<marmarek@invisiblethingslab.com>
|
||||||
|
Date: Thu, 21 Apr 2016 02:15:54 +0200
|
||||||
|
Subject: [PATCH] Allow specify gpg key for a repository
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
Organization: Invisible Things Lab
|
||||||
|
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
||||||
|
|
||||||
|
Quite hacky way, but current command line syntax doesn't support
|
||||||
|
additional per-repository settings.
|
||||||
|
|
||||||
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
||||||
|
---
|
||||||
|
src/sbin/lorax | 14 ++++++++++++--
|
||||||
|
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sbin/lorax b/src/sbin/lorax
|
||||||
|
index f92aeb9..831fc6b 100755
|
||||||
|
--- a/src/sbin/lorax
|
||||||
|
+++ b/src/sbin/lorax
|
||||||
|
@@ -60,13 +60,13 @@ def main(args):
|
||||||
|
required.add_argument("-p", "--product", help="product name", required=True, metavar="STRING")
|
||||||
|
required.add_argument("-v", "--version", help="version identifier", required=True, metavar="STRING")
|
||||||
|
required.add_argument("-r", "--release", help="release information", required=True, metavar="STRING")
|
||||||
|
- required.add_argument("-s", "--source", help="source repository (may be listed multiple times)",
|
||||||
|
+ required.add_argument("-s", "--source", help="source repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification",
|
||||||
|
metavar="REPOSITORY", action="append", default=[], required=True)
|
||||||
|
|
||||||
|
# optional arguments
|
||||||
|
optional = parser.add_argument_group("optional arguments")
|
||||||
|
optional.add_argument("-m", "--mirrorlist",
|
||||||
|
- help="mirrorlist repository (may be listed multiple times)",
|
||||||
|
+ help="mirrorlist repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification",
|
||||||
|
metavar="REPOSITORY", action="append", default=[])
|
||||||
|
optional.add_argument("-t", "--variant",
|
||||||
|
help="variant name", metavar="STRING")
|
||||||
|
@@ -274,6 +274,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None,
|
||||||
|
continue
|
||||||
|
repo_name = "lorax-repo-%d" % i
|
||||||
|
repo = dnf.repo.Repo(repo_name, cachedir)
|
||||||
|
+ if '(' in r and ')' in r:
|
||||||
|
+ assert r[-1] == ')'
|
||||||
|
+ r, gpgkey = r[:-1].split('(')
|
||||||
|
+ repo.gpgkey = [gpgkey]
|
||||||
|
+ repo.gpgcheck = True
|
||||||
|
repo.baseurl = [r]
|
||||||
|
if proxy:
|
||||||
|
repo.proxy = proxy
|
||||||
|
@@ -294,6 +299,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None,
|
||||||
|
continue
|
||||||
|
repo_name = "lorax-mirrorlist-%d" % i
|
||||||
|
repo = dnf.repo.Repo(repo_name, cachedir)
|
||||||
|
+ if '(' in r and ')' in r:
|
||||||
|
+ assert r[-1] == ')'
|
||||||
|
+ r, gpgkey = r[:-1].split('(')
|
||||||
|
+ repo.gpgkey = [gpgkey]
|
||||||
|
+ repo.gpgcheck = True
|
||||||
|
repo.mirrorlist = r
|
||||||
|
if proxy:
|
||||||
|
repo.proxy = proxy
|
||||||
|
--
|
||||||
|
2.1.0
|
||||||
|
|
48
lorax/0002-verify-packages-signature.patch
Normal file
48
lorax/0002-verify-packages-signature.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 78f834f8d5b5f1ff56e04bb2b40cbb4fc4c21a12 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
||||||
|
<marmarek@invisiblethingslab.com>
|
||||||
|
Date: Thu, 21 Apr 2016 13:46:33 +0200
|
||||||
|
Subject: [PATCH] verify packages signature
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
Organization: Invisible Things Lab
|
||||||
|
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
||||||
|
|
||||||
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
||||||
|
---
|
||||||
|
src/pylorax/ltmpl.py | 18 ++++++++++++++++++
|
||||||
|
1 file changed, 18 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/pylorax/ltmpl.py b/src/pylorax/ltmpl.py
|
||||||
|
index 7fc4d54..661790d 100644
|
||||||
|
--- a/src/pylorax/ltmpl.py
|
||||||
|
+++ b/src/pylorax/ltmpl.py
|
||||||
|
@@ -578,6 +578,24 @@ class LoraxTemplateRunner(object):
|
||||||
|
logger.error("Failed to download the following packages: %s", e)
|
||||||
|
raise
|
||||||
|
|
||||||
|
+ try:
|
||||||
|
+ for po in pkgs_to_download:
|
||||||
|
+ # before doing anything with the package, verify its signature
|
||||||
|
+ result, errmsg = self.dbo.sigCheckPkg(po)
|
||||||
|
+ if result == 0:
|
||||||
|
+ # Verified ok, or verify not req'd
|
||||||
|
+ pass
|
||||||
|
+ elif result == 1:
|
||||||
|
+ # keys are provided through kickstart, so treat this as consent
|
||||||
|
+ # for importing them
|
||||||
|
+ self.dbo.getKeyForPackage(po, lambda x, y, z: True)
|
||||||
|
+ else:
|
||||||
|
+ # Fatal error
|
||||||
|
+ raise dnf.exceptions.Error(errmsg)
|
||||||
|
+ except dnf.exceptions.Error as e:
|
||||||
|
+ logger.error("Failed to verify signature: %s", e)
|
||||||
|
+ raise
|
||||||
|
+
|
||||||
|
logger.info("Preparing transaction from installation source")
|
||||||
|
try:
|
||||||
|
display = LoraxRpmCallback()
|
||||||
|
--
|
||||||
|
2.1.0
|
||||||
|
|
@ -18,6 +18,8 @@ URL: https://github.com/rhinstaller/lorax
|
|||||||
# tito build --tgz
|
# tito build --tgz
|
||||||
Source0: %{name}-%{version}.tar.gz
|
Source0: %{name}-%{version}.tar.gz
|
||||||
Patch0: Drop-multiprocessing-for-do_transaction-1208296.patch
|
Patch0: Drop-multiprocessing-for-do_transaction-1208296.patch
|
||||||
|
Patch1: 0001-Allow-specify-gpg-key-for-a-repository.patch
|
||||||
|
Patch2: 0002-verify-packages-signature.patch
|
||||||
|
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
BuildRequires: python3-pocketlint >= 0.5
|
BuildRequires: python3-pocketlint >= 0.5
|
||||||
@ -110,6 +112,8 @@ to run Anaconda.
|
|||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{version}
|
||||||
|
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
|
48
pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch
Normal file
48
pungi/Hacky-way-to-pass-gpgkey-to-lorax.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 3599db0a7bb047ac482eef45b0885ff8d8318d8f Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
||||||
|
<marmarek@invisiblethingslab.com>
|
||||||
|
Date: Wed, 20 Apr 2016 03:06:02 +0200
|
||||||
|
Subject: [PATCH] Hacky way to pass gpgkey to lorax
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
Organization: Invisible Things Lab
|
||||||
|
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
||||||
|
|
||||||
|
Since lorax is running in separate process, it no longer use repo
|
||||||
|
objects initialized by pungi. Because of this, gpgkey+gpgcheck must be
|
||||||
|
passed down some other way. Appending it to the repository URL is awful,
|
||||||
|
but is effective:
|
||||||
|
- if lorax version used doesn't support verification, it will fail
|
||||||
|
(good)
|
||||||
|
- it binds key to the repository
|
||||||
|
|
||||||
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
||||||
|
---
|
||||||
|
pungi/gather.py | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/pungi/gather.py b/pungi/gather.py
|
||||||
|
index 66212d2..6be45e6 100644
|
||||||
|
--- a/pungi/gather.py
|
||||||
|
+++ b/pungi/gather.py
|
||||||
|
@@ -1413,13 +1413,14 @@ class Pungi(PungiBase):
|
||||||
|
pass
|
||||||
|
|
||||||
|
for repo in self.ksparser.handler.repo.repoList:
|
||||||
|
+ url_suffix = '({})'.format(repo.gpgkey) if repo.gpgkey else ''
|
||||||
|
if repo.mirrorlist:
|
||||||
|
# The not bool() thing is because pykickstart is yes/no on
|
||||||
|
# whether to ignore groups, but yum is a yes/no on whether to
|
||||||
|
# include groups. Awkward.
|
||||||
|
- cmd.extend(["--mirrorlist", repo.mirrorlist])
|
||||||
|
+ cmd.extend(["--mirrorlist", repo.mirrorlist + url_suffix])
|
||||||
|
else:
|
||||||
|
- cmd.extend(["--source", repo.baseurl])
|
||||||
|
+ cmd.extend(["--source", repo.baseurl + url_suffix])
|
||||||
|
|
||||||
|
# Add the repo in the destdir to our yum object
|
||||||
|
cmd.extend(["--source", "file://%s" % self.topdir])
|
||||||
|
--
|
||||||
|
2.1.0
|
||||||
|
|
@ -14,6 +14,7 @@ Source0: https://fedorahosted.org/pungi/attachment/wiki/%{version}/%{name
|
|||||||
Patch1: 0001-Set-repository-gpgkey-option.patch
|
Patch1: 0001-Set-repository-gpgkey-option.patch
|
||||||
Patch2: 0002-Verify-downloaded-packages.patch
|
Patch2: 0002-Verify-downloaded-packages.patch
|
||||||
Patch3: disable-efi.patch
|
Patch3: disable-efi.patch
|
||||||
|
Patch4: Hacky-way-to-pass-gpgkey-to-lorax.patch
|
||||||
#Patch5: fix-recursive-partition-table-on-iso-image.patch
|
#Patch5: fix-recursive-partition-table-on-iso-image.patch
|
||||||
#Patch6: disable-upgrade.patch
|
#Patch6: disable-upgrade.patch
|
||||||
BuildRequires: python-nose, python-nose-cov, python-mock
|
BuildRequires: python-nose, python-nose-cov, python-mock
|
||||||
@ -53,6 +54,7 @@ A tool to create anaconda based installation trees/isos of a set of rpms.
|
|||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
#%%patch5 -p1
|
#%%patch5 -p1
|
||||||
#%%patch6 -p1
|
#%%patch6 -p1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user