10b346a1e1
This way all the packages are verified, not only those installed in installer image (by lorax). This makes manual rpm --checksig redundant.
84 lines
3.4 KiB
Diff
84 lines
3.4 KiB
Diff
Handle "repo --gpgkey" in kickstart to verify downloaded packages
|
|
|
|
Especially important for lorax - they will not verified in any way without
|
|
setting yum options here.
|
|
|
|
Signed-off-by: Marek Marczykowski <marmarek@invisiblethingslab.com>
|
|
Index: pungi-3.03/src/pypungi/__init__.py
|
|
===================================================================
|
|
--- pungi-3.03.orig/src/pypungi/__init__.py
|
|
+++ pungi-3.03/src/pypungi/__init__.py
|
|
@@ -242,7 +242,7 @@
|
|
|
|
def _add_yum_repo(self, name, url, mirrorlist=False, groups=True,
|
|
cost=1000, includepkgs=None, excludepkgs=None,
|
|
- proxy=None):
|
|
+ proxy=None, gpgkey=None):
|
|
"""This function adds a repo to the yum object.
|
|
name: Name of the repo
|
|
url: Full url to the repo
|
|
@@ -279,6 +279,10 @@
|
|
thisrepo.exclude = excludepkgs
|
|
thisrepo.includepkgs = includepkgs
|
|
thisrepo.cost = cost
|
|
+ if gpgkey:
|
|
+ thisrepo.gpgcheck = True
|
|
+ thisrepo.gpgkey = yum.parser.varReplace(gpgkey,
|
|
+ self.ayum.conf.yumvar)
|
|
# Yum doesn't like proxy being None
|
|
if proxy:
|
|
thisrepo.proxy = proxy
|
|
@@ -309,6 +313,7 @@
|
|
yumconf.installroot = os.path.join(self.workdir, 'yumroot')
|
|
yumconf.uid = os.geteuid()
|
|
yumconf.cache = 0
|
|
+ yumconf.assumeyes = True
|
|
yumconf.failovermethod = 'priority'
|
|
yumconf.deltarpm = 0
|
|
yumvars = yum.config._getEnvVar()
|
|
@@ -339,7 +344,8 @@
|
|
cost=repo.cost,
|
|
includepkgs=repo.includepkgs,
|
|
excludepkgs=repo.excludepkgs,
|
|
- proxy=repo.proxy)
|
|
+ proxy=repo.proxy,
|
|
+ gpgkey=repo.gpgkey)
|
|
else:
|
|
self._add_yum_repo(repo.name, repo.baseurl,
|
|
mirrorlist=False,
|
|
@@ -347,7 +353,8 @@
|
|
cost=repo.cost,
|
|
includepkgs=repo.includepkgs,
|
|
excludepkgs=repo.excludepkgs,
|
|
- proxy=repo.proxy)
|
|
+ proxy=repo.proxy,
|
|
+ gpgkey=repo.gpgkey)
|
|
|
|
self.logger.info('Getting sacks for arches %s' % self.valid_arches)
|
|
self.ayum._getSacks(archlist=self.valid_arches)
|
|
diff --git a/src/pypungi/__init__.py b/src/pypungi/__init__.py
|
|
index fc6a7c7..72cfddf 100644
|
|
--- a/src/pypungi/__init__.py
|
|
+++ b/src/pypungi/__init__.py
|
|
@@ -1096,6 +1096,20 @@ class Pungi(pypungi.PungiBase):
|
|
sys.exit(1)
|
|
|
|
for po in polist:
|
|
+ # before doing anything with the package, verify its signature
|
|
+ result, errmsg = self.ayum.sigCheckPkg(po)
|
|
+ if result == 0:
|
|
+ # Verified ok, or verify not req'd
|
|
+ pass
|
|
+ elif result == 1:
|
|
+ # keys are provided through kickstart, so treat this as consent
|
|
+ # for importing them
|
|
+ self.ayum.getKeyForPackage(po, lambda x, y, z: True)
|
|
+ else:
|
|
+ # Fatal error
|
|
+ self.logger.error(errmsg)
|
|
+ sys.exit(1)
|
|
+
|
|
basename = os.path.basename(po.relativepath)
|
|
|
|
local = po.localPkg()
|