8ec82b09f7
Livecd-creator is one more example of program which happily installs whatever downloads from the network, without any verification (repository metadata consistency doesn't count)... Patches sent upstream here: https://github.com/rhinstaller/livecd-tools/pull/14
81 lines
2.6 KiB
Diff
81 lines
2.6 KiB
Diff
From ad81fa7d70111c2d29cb44a17c3511c49538d66d Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
|
<marmarek@invisiblethingslab.com>
|
|
Date: Sat, 26 Sep 2015 06:14:05 +0200
|
|
Subject: [PATCH 2/2] Actually use repo.gpgkey - verify signatures before
|
|
installing the packages
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
Organization: Invisible Things Lab
|
|
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
|
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
---
|
|
imgcreate/yuminst.py | 35 +++++++++++++++++++++++++++++++++--
|
|
1 file changed, 33 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/imgcreate/yuminst.py b/imgcreate/yuminst.py
|
|
index 22e840c..17f4774 100644
|
|
--- a/imgcreate/yuminst.py
|
|
+++ b/imgcreate/yuminst.py
|
|
@@ -178,7 +178,7 @@ class LiveCDYum(yum.YumBase):
|
|
repo.metadata_expire = 0
|
|
repo.mirrorlist_expire = 0
|
|
repo.timestamp_check = 0
|
|
- # disable gpg check???
|
|
+ # disable gpg by default, enable it later when gpgkey specified
|
|
repo.gpgcheck = 0
|
|
repo.enable()
|
|
repo.setup(self.conf.cache)
|
|
@@ -195,6 +195,33 @@ class LiveCDYum(yum.YumBase):
|
|
return True
|
|
return False
|
|
|
|
+ def gpgsigcheck(self, pkgs):
|
|
+ """Perform GPG signature verification on the given packages,
|
|
+ installing keys if possible.
|
|
+
|
|
+ :param pkgs: a list of package objects to verify the GPG
|
|
+ signatures of
|
|
+ :return: non-zero if execution should stop due to an error
|
|
+ :raises: Will raise :class:`CreatorError` if there's a problem
|
|
+ """
|
|
+ for po in pkgs:
|
|
+ result, errmsg = self.sigCheckPkg(po)
|
|
+
|
|
+ if result == 0:
|
|
+ # Verified ok, or verify not req'd
|
|
+ continue
|
|
+
|
|
+ elif result == 1:
|
|
+ # keys are provided through kickstart, so treat this as consent
|
|
+ # for importing them
|
|
+ self.getKeyForPackage(po, lambda x, y, z: True)
|
|
+
|
|
+ else:
|
|
+ # Fatal error
|
|
+ raise CreatorError(errmsg)
|
|
+
|
|
+ return 0
|
|
+
|
|
|
|
def runInstall(self):
|
|
os.environ["HOME"] = "/"
|
|
@@ -211,7 +238,11 @@ class LiveCDYum(yum.YumBase):
|
|
|
|
dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers()))
|
|
self.downloadPkgs(dlpkgs)
|
|
- # FIXME: sigcheck?
|
|
+
|
|
+ # Check GPG signatures
|
|
+ if self.gpgsigcheck(dlpkgs) != 0:
|
|
+ raise CreatorError("GPG signature verification failed")
|
|
+
|
|
|
|
self.initActionTs()
|
|
self.populateTs(keepold=0)
|
|
--
|
|
2.1.0
|
|
|