f2edc02cac
Since lorax is running as a separate process, it no longer use repositories objects setup by pykickstart (which is already patched to support gpgkey). This means we need somehow pass that info, otherwise packages will not be verified. QubesOS/qubes-issues#1807
49 lines
1.8 KiB
Diff
49 lines
1.8 KiB
Diff
From 78f834f8d5b5f1ff56e04bb2b40cbb4fc4c21a12 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
|
<marmarek@invisiblethingslab.com>
|
|
Date: Thu, 21 Apr 2016 13:46:33 +0200
|
|
Subject: [PATCH] verify packages signature
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
Organization: Invisible Things Lab
|
|
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
|
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
---
|
|
src/pylorax/ltmpl.py | 18 ++++++++++++++++++
|
|
1 file changed, 18 insertions(+)
|
|
|
|
diff --git a/src/pylorax/ltmpl.py b/src/pylorax/ltmpl.py
|
|
index 7fc4d54..661790d 100644
|
|
--- a/src/pylorax/ltmpl.py
|
|
+++ b/src/pylorax/ltmpl.py
|
|
@@ -578,6 +578,24 @@ class LoraxTemplateRunner(object):
|
|
logger.error("Failed to download the following packages: %s", e)
|
|
raise
|
|
|
|
+ try:
|
|
+ for po in pkgs_to_download:
|
|
+ # before doing anything with the package, verify its signature
|
|
+ result, errmsg = self.dbo.sigCheckPkg(po)
|
|
+ if result == 0:
|
|
+ # Verified ok, or verify not req'd
|
|
+ pass
|
|
+ elif result == 1:
|
|
+ # keys are provided through kickstart, so treat this as consent
|
|
+ # for importing them
|
|
+ self.dbo.getKeyForPackage(po, lambda x, y, z: True)
|
|
+ else:
|
|
+ # Fatal error
|
|
+ raise dnf.exceptions.Error(errmsg)
|
|
+ except dnf.exceptions.Error as e:
|
|
+ logger.error("Failed to verify signature: %s", e)
|
|
+ raise
|
|
+
|
|
logger.info("Preparing transaction from installation source")
|
|
try:
|
|
display = LoraxRpmCallback()
|
|
--
|
|
2.1.0
|
|
|