lorax, pungi: pass gpgkey info from pungi to lorax

Since lorax is running as a separate process, it no longer use
repositories objects setup by pykickstart (which is already patched to
support gpgkey). This means we need somehow pass that info, otherwise
packages will not be verified.

QubesOS/qubes-issues#1807
This commit is contained in:
Marek Marczykowski-Górecki 2016-04-21 02:29:09 +02:00
parent 32a75c4f78
commit f2edc02cac
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
5 changed files with 168 additions and 0 deletions

View File

@ -0,0 +1,66 @@
From 7adfe384c4eea406ec9c4d2445ebac1a3e986d05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Thu, 21 Apr 2016 02:15:54 +0200
Subject: [PATCH] Allow specify gpg key for a repository
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Quite hacky way, but current command line syntax doesn't support
additional per-repository settings.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
src/sbin/lorax | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/sbin/lorax b/src/sbin/lorax
index f92aeb9..831fc6b 100755
--- a/src/sbin/lorax
+++ b/src/sbin/lorax
@@ -60,13 +60,13 @@ def main(args):
required.add_argument("-p", "--product", help="product name", required=True, metavar="STRING")
required.add_argument("-v", "--version", help="version identifier", required=True, metavar="STRING")
required.add_argument("-r", "--release", help="release information", required=True, metavar="STRING")
- required.add_argument("-s", "--source", help="source repository (may be listed multiple times)",
+ required.add_argument("-s", "--source", help="source repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification",
metavar="REPOSITORY", action="append", default=[], required=True)
# optional arguments
optional = parser.add_argument_group("optional arguments")
optional.add_argument("-m", "--mirrorlist",
- help="mirrorlist repository (may be listed multiple times)",
+ help="mirrorlist repository (may be listed multiple times), append gpgkey URL in brackets to enable package verification",
metavar="REPOSITORY", action="append", default=[])
optional.add_argument("-t", "--variant",
help="variant name", metavar="STRING")
@@ -274,6 +274,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None,
continue
repo_name = "lorax-repo-%d" % i
repo = dnf.repo.Repo(repo_name, cachedir)
+ if '(' in r and ')' in r:
+ assert r[-1] == ')'
+ r, gpgkey = r[:-1].split('(')
+ repo.gpgkey = [gpgkey]
+ repo.gpgcheck = True
repo.baseurl = [r]
if proxy:
repo.proxy = proxy
@@ -294,6 +299,11 @@ def get_dnf_base_object(installroot, repositories, mirrorlists=None,
continue
repo_name = "lorax-mirrorlist-%d" % i
repo = dnf.repo.Repo(repo_name, cachedir)
+ if '(' in r and ')' in r:
+ assert r[-1] == ')'
+ r, gpgkey = r[:-1].split('(')
+ repo.gpgkey = [gpgkey]
+ repo.gpgcheck = True
repo.mirrorlist = r
if proxy:
repo.proxy = proxy
--
2.1.0

View File

@ -0,0 +1,48 @@
From 78f834f8d5b5f1ff56e04bb2b40cbb4fc4c21a12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Thu, 21 Apr 2016 13:46:33 +0200
Subject: [PATCH] verify packages signature
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
src/pylorax/ltmpl.py | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/pylorax/ltmpl.py b/src/pylorax/ltmpl.py
index 7fc4d54..661790d 100644
--- a/src/pylorax/ltmpl.py
+++ b/src/pylorax/ltmpl.py
@@ -578,6 +578,24 @@ class LoraxTemplateRunner(object):
logger.error("Failed to download the following packages: %s", e)
raise
+ try:
+ for po in pkgs_to_download:
+ # before doing anything with the package, verify its signature
+ result, errmsg = self.dbo.sigCheckPkg(po)
+ if result == 0:
+ # Verified ok, or verify not req'd
+ pass
+ elif result == 1:
+ # keys are provided through kickstart, so treat this as consent
+ # for importing them
+ self.dbo.getKeyForPackage(po, lambda x, y, z: True)
+ else:
+ # Fatal error
+ raise dnf.exceptions.Error(errmsg)
+ except dnf.exceptions.Error as e:
+ logger.error("Failed to verify signature: %s", e)
+ raise
+
logger.info("Preparing transaction from installation source")
try:
display = LoraxRpmCallback()
--
2.1.0

View File

@ -18,6 +18,8 @@ URL: https://github.com/rhinstaller/lorax
# tito build --tgz # tito build --tgz
Source0: %{name}-%{version}.tar.gz Source0: %{name}-%{version}.tar.gz
Patch0: Drop-multiprocessing-for-do_transaction-1208296.patch Patch0: Drop-multiprocessing-for-do_transaction-1208296.patch
Patch1: 0001-Allow-specify-gpg-key-for-a-repository.patch
Patch2: 0002-verify-packages-signature.patch
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: python3-pocketlint >= 0.5 BuildRequires: python3-pocketlint >= 0.5
@ -110,6 +112,8 @@ to run Anaconda.
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1
%build %build

View File

@ -0,0 +1,48 @@
From 3599db0a7bb047ac482eef45b0885ff8d8318d8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Wed, 20 Apr 2016 03:06:02 +0200
Subject: [PATCH] Hacky way to pass gpgkey to lorax
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Since lorax is running in separate process, it no longer use repo
objects initialized by pungi. Because of this, gpgkey+gpgcheck must be
passed down some other way. Appending it to the repository URL is awful,
but is effective:
- if lorax version used doesn't support verification, it will fail
(good)
- it binds key to the repository
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
pungi/gather.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/pungi/gather.py b/pungi/gather.py
index 66212d2..6be45e6 100644
--- a/pungi/gather.py
+++ b/pungi/gather.py
@@ -1413,13 +1413,14 @@ class Pungi(PungiBase):
pass
for repo in self.ksparser.handler.repo.repoList:
+ url_suffix = '({})'.format(repo.gpgkey) if repo.gpgkey else ''
if repo.mirrorlist:
# The not bool() thing is because pykickstart is yes/no on
# whether to ignore groups, but yum is a yes/no on whether to
# include groups. Awkward.
- cmd.extend(["--mirrorlist", repo.mirrorlist])
+ cmd.extend(["--mirrorlist", repo.mirrorlist + url_suffix])
else:
- cmd.extend(["--source", repo.baseurl])
+ cmd.extend(["--source", repo.baseurl + url_suffix])
# Add the repo in the destdir to our yum object
cmd.extend(["--source", "file://%s" % self.topdir])
--
2.1.0

View File

@ -14,6 +14,7 @@ Source0: https://fedorahosted.org/pungi/attachment/wiki/%{version}/%{name
Patch1: 0001-Set-repository-gpgkey-option.patch Patch1: 0001-Set-repository-gpgkey-option.patch
Patch2: 0002-Verify-downloaded-packages.patch Patch2: 0002-Verify-downloaded-packages.patch
Patch3: disable-efi.patch Patch3: disable-efi.patch
Patch4: Hacky-way-to-pass-gpgkey-to-lorax.patch
#Patch5: fix-recursive-partition-table-on-iso-image.patch #Patch5: fix-recursive-partition-table-on-iso-image.patch
#Patch6: disable-upgrade.patch #Patch6: disable-upgrade.patch
BuildRequires: python-nose, python-nose-cov, python-mock BuildRequires: python-nose, python-nose-cov, python-mock
@ -53,6 +54,7 @@ A tool to create anaconda based installation trees/isos of a set of rpms.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1
#%%patch5 -p1 #%%patch5 -p1
#%%patch6 -p1 #%%patch6 -p1