qubes-installer-qubes-os/pungi/support-verify-downloaded-packages.patch
Marek Marczykowski-Górecki 10b346a1e1 pungi: verify downloaded (but not installed packages)
This way all the packages are verified, not only those installed in
installer image (by lorax). This makes manual rpm --checksig redundant.
2015-09-28 20:29:39 +02:00

84 lines
3.4 KiB
Diff

Handle "repo --gpgkey" in kickstart to verify downloaded packages
Especially important for lorax - they will not verified in any way without
setting yum options here.
Signed-off-by: Marek Marczykowski <marmarek@invisiblethingslab.com>
Index: pungi-3.03/src/pypungi/__init__.py
===================================================================
--- pungi-3.03.orig/src/pypungi/__init__.py
+++ pungi-3.03/src/pypungi/__init__.py
@@ -242,7 +242,7 @@
def _add_yum_repo(self, name, url, mirrorlist=False, groups=True,
cost=1000, includepkgs=None, excludepkgs=None,
- proxy=None):
+ proxy=None, gpgkey=None):
"""This function adds a repo to the yum object.
name: Name of the repo
url: Full url to the repo
@@ -279,6 +279,10 @@
thisrepo.exclude = excludepkgs
thisrepo.includepkgs = includepkgs
thisrepo.cost = cost
+ if gpgkey:
+ thisrepo.gpgcheck = True
+ thisrepo.gpgkey = yum.parser.varReplace(gpgkey,
+ self.ayum.conf.yumvar)
# Yum doesn't like proxy being None
if proxy:
thisrepo.proxy = proxy
@@ -309,6 +313,7 @@
yumconf.installroot = os.path.join(self.workdir, 'yumroot')
yumconf.uid = os.geteuid()
yumconf.cache = 0
+ yumconf.assumeyes = True
yumconf.failovermethod = 'priority'
yumconf.deltarpm = 0
yumvars = yum.config._getEnvVar()
@@ -339,7 +344,8 @@
cost=repo.cost,
includepkgs=repo.includepkgs,
excludepkgs=repo.excludepkgs,
- proxy=repo.proxy)
+ proxy=repo.proxy,
+ gpgkey=repo.gpgkey)
else:
self._add_yum_repo(repo.name, repo.baseurl,
mirrorlist=False,
@@ -347,7 +353,8 @@
cost=repo.cost,
includepkgs=repo.includepkgs,
excludepkgs=repo.excludepkgs,
- proxy=repo.proxy)
+ proxy=repo.proxy,
+ gpgkey=repo.gpgkey)
self.logger.info('Getting sacks for arches %s' % self.valid_arches)
self.ayum._getSacks(archlist=self.valid_arches)
diff --git a/src/pypungi/__init__.py b/src/pypungi/__init__.py
index fc6a7c7..72cfddf 100644
--- a/src/pypungi/__init__.py
+++ b/src/pypungi/__init__.py
@@ -1096,6 +1096,20 @@ class Pungi(pypungi.PungiBase):
sys.exit(1)
for po in polist:
+ # before doing anything with the package, verify its signature
+ result, errmsg = self.ayum.sigCheckPkg(po)
+ if result == 0:
+ # Verified ok, or verify not req'd
+ pass
+ elif result == 1:
+ # keys are provided through kickstart, so treat this as consent
+ # for importing them
+ self.ayum.getKeyForPackage(po, lambda x, y, z: True)
+ else:
+ # Fatal error
+ self.logger.error(errmsg)
+ sys.exit(1)
+
basename = os.path.basename(po.relativepath)
local = po.localPkg()