From d60bf2685857e107c5b2c4676779e56199378351 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?=
 <frederic.epitre@orange.fr>
Date: Sun, 23 Dec 2018 22:06:49 +0100
Subject: [PATCH] get-fedora-latest-config: check rpm signature

---
 get-fedora-latest-config           | 10 +++++++++-
 keys/RPM-GPG-KEY-fedora-25-primary | 30 ++++++++++++++++++++++++++++++
 keys/RPM-GPG-KEY-fedora-29-primary | 30 ++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 keys/RPM-GPG-KEY-fedora-25-primary
 create mode 100644 keys/RPM-GPG-KEY-fedora-29-primary

diff --git a/get-fedora-latest-config b/get-fedora-latest-config
index 029363b..191d7c1 100755
--- a/get-fedora-latest-config
+++ b/get-fedora-latest-config
@@ -11,6 +11,8 @@ releasever="$1"
 kernelver="$(cat "$localdir/version")"
 kernelsrc="linux-$kernelver"
 
+key="$localdir/keys/RPM-GPG-KEY-fedora-$releasever-primary"
+
 [[ "x$releasever" == "x" ]] && { echo "Please provide Fedora release version as first argument, e.g. '29'."; exit 1; }
 
 # baseurl for latest kernel rpm
@@ -24,7 +26,13 @@ latestver="$(echo "$latestrpm" | sed 's/kernel-core-//; s/\.rpm//')"
 if [ "x$latestrpm" != "x" ]; then
     tmpdir=$(mktemp -d)
     # download latest kernel rpm
-    wget -q -O "$tmpdir/$latestrpm" "$url/$latestrpm"
+    wget -q -O "$tmpdir/$latestrpm.untrusted" "$url/$latestrpm"
+
+    # check signature
+    mkdir -p "$tmpdir/rpmdb"
+    rpmkeys --dbpath="$tmpdir/rpmdb" --import "$key"
+    { rpmkeys --dbpath="$tmpdir/rpmdb" --checksig "$tmpdir/$latestrpm.untrusted" | grep 'signatures OK' ; } || { echo "Failed to check signature"; exit 1; }
+    mv "$tmpdir/$latestrpm.untrusted" "$tmpdir/$latestrpm"
 
     # extract kernel sources in qubes-linux-kernel
     tar xf "$localdir/$kernelsrc.tar.xz" -C "$tmpdir"
diff --git a/keys/RPM-GPG-KEY-fedora-25-primary b/keys/RPM-GPG-KEY-fedora-25-primary
new file mode 100644
index 0000000..c558c9d
--- /dev/null
+++ b/keys/RPM-GPG-KEY-fedora-25-primary
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFb9YzMBEACy1RmbMa6MNIpfHYxLwgCgBVnFYCdCHZqWfYYYK14potfJ9uI2
+4Y4w+oHiLeZ/HoG1EBQiDfXHetGZECAKEYQlE7BbRBcd3An9GalKTkWzcshhHFx7
+f5JIprL0uY8x2D9HmCfAjMxoh6usWjmAQ+DUYd48iYCkahyZa0/2CgX9HIcEz/M/
+oDeQbTwzw9AQbQz382oOErfRaXE/DQrjlx2ln0iejidiOe7DzGZOH9/Foc2KN062
+A9VnZ7tU1ACKT8NxZ78RaBL3qmvMGdb7kf7GywjpRNo4J7XCQUP+nP51eCur2wMS
+4mY2idDL8Ojouta79pPrviVLmwzunJoFnBcnIhbndebdxPqgOA5XAOaTdLtgurMq
+90V45DPyJpkdEyptovksH7zYNGEIGB8cFmrVgUwriB0TLNJTEcM4Knbh4imfTX42
+vCE+rEHn3YVqubG7rggibKznJbflwQcqOYZHLlPGYCxO47aaFUo5qJN7QN3lxajb
+SzL/SdoHrVL67unzmHyktx5uF8Fv6EDgUV6NCb/IBiEwhR8YHi86NQ8nsI3K8Zhv
+EnIxghJQD+cn3ykthwqYmZwi2PJDBiZsOGf3iXbalAjU3JVqoA7mboRPR+IBXQxK
+xvAEpyIGeSUN8yBn+JVDRwZ37kkUVs2AOeUwMlnfFSqYFfmqbeQ73A9ECwARAQAB
+tDxGZWRvcmEgMjUgUHJpbWFyeSAoMjUpIDxmZWRvcmEtMjUtcHJpbWFyeUBmZWRv
+cmFwcm9qZWN0Lm9yZz6JAjgEEwECACIFAlb9YzMCGw8GCwkIBwMCBhUIAgkKCwQW
+AgMBAh4BAheAAAoJEECJ2PL9sZyY1TEP/0u/v4g8HEdl9gqlhV179vXCJJiGtzB0
+7IGAu++mrsxBrDpqPZTEs6dG5MyzvhhHcmHYrZIiicPAeL9xlZ75oIqQuvjDncoM
+kROSGvtfUnvocZhQIPvvkgWe3UAmmP3cSlVzu3KtbTpM+KL71incWo4Tentq9L/f
+vsow7vvGbKUMoSSZbAMfjJkzlzSDNlFtaRkrCBQFJ76EKeggjnEZ8H0cowCdGuyv
+uBoxQeeQM13b2T9c/uyrXCIcasaOTIKTcqTjbJUTIC2NIZ8OHjtlxZacEaN3ml1M
+lNRtbIvqzbtv+sb+DsOVTyd1XIcxU9s+TDKvUm0OBNvj3Bm2BQbi8RHyLFbHWvhx
+Gjzb8Wb/MnlcdTlk3M2iPv8dWHXjEM9n9TKyStdpBD9X3P/Gy2gUquHgkl8p+r8o
+xmzNH534mKH47kPL/trKInKwv0fkBwxvuPgHG0n79eMHQenVA8gXzG4P6JkcyObA
+6xGEEQ/wXFF0gLksmwFWuPm2GcnOI5KmGNgDP2PMhS8/cfJfW04a/tL2T2zr4CmE
+LynbOvY/yOJk7/2W3Cb47+yhqo/htrpJDP6n6zQNNk3+e8EVgfhkQqFxom8yCmEP
+pW0gBFeE83VoytYPXRkavwmFR+tplyZfOkXG9gysTn8SpRp5+B44O+VeaZumanQZ
+kRFmBygMR6M/
+=NrXo
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/keys/RPM-GPG-KEY-fedora-29-primary b/keys/RPM-GPG-KEY-fedora-29-primary
new file mode 100644
index 0000000..e062bd4
--- /dev/null
+++ b/keys/RPM-GPG-KEY-fedora-29-primary
@@ -0,0 +1,30 @@
+pub  4096R/429476B4 2018-02-17 Fedora 29 (29) <fedora-29@fedoraproject.org>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFqIZTcBEACjh0DKywPd0Hx9I4nGYsbUbqIU7TGZgxaT9jnVSRgkcdfRqt2C
+P7EdtRbyqkMUKyL23CLwAz+YSmf9Ff9nxBSl8FiKUCNNWUYO3faEAZkZ5reDr6h6
+W4a0niBMWfVLqmYjpZmkcBqgLgl+2wVq9/E9Fq9SzDktzczUF7wwAWrsKW5rwEEq
++i8jk6FSUTNMqWZq69y7Dvox8k8QIxtou5dIL3Z8qQdkc/0ynTs4bdac94FsJBM6
+0qKSHP23MY7ppwOl7wttAsnaIzBaCD0UIM5qtfFBNFaYfeJ5kH1rf+NzgFjJ8y1D
+xiZdEX2t4OyXvhuAQSvYyotDrJzCbusjXQYMYYqnfGcqMmTCkgGxYbdfVGbMs3x1
+mMObZWMQbb9HGN0KTBaFdwA7EnMBrCGy3I9WxngGIGATOPWkPPUUxlaI9jwxT3tq
+bwYY5Kn2RhD4CZyj4VIaQvGdMaop01O78QVFHhdH24abqNuPrYqEDZ+aSTgnYFKJ
+cpGSsRVL+Kw/x1wik8PYzpC9tNzU1LRCi9jsX0pk9gODSgbKLWryZEgZaIdcBcJD
+4U3slDjdBeTDY8pJV9z9r7z+gFPAHLqStGKj2icbv80dMGTfgUm3HqWES/XXomX9
+ZWA1tV0ZlNOM8/IunmISz9MNpc3LChpcccffjrfvWBfokDKaXO9qCUgctwARAQAB
+tCxGZWRvcmEgMjkgKDI5KSA8ZmVkb3JhLTI5QGZlZG9yYXByb2plY3Qub3JnPokC
+OAQTAQIAIgUCWohlNwIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQogql
+a0KUdrR7axAAluNHQ93T7u/yIQaTCs4uGb/jEg7qbm6hRx5nsqrdm3qKNqnyXK61
+nnPNoDJNk1WhZww4RdrvxCDOGyyNhGSejjvXM6RBDEOY/KmD6huPo8xN5i7JVG+E
+2mlwTGe7HSg47d0wHydDNTRLQqT0VZnpkxRe3puQ4DNNHJZG1SsRl/Sf2VI1XyB/
+hHbFGbLS9KvH32lCIAAtt6dbGTRZC9gsGL6XR/6o7EU5fpj7U5rYiDTFaYqmqG21
+LZZV9xtqCoHcKElY7jX7Rfmk8Wn1G2zC2XR0LX7eVH7GBeXw6JbmLZjxSgd235zE
+1lNSaSLMHOHMcgSHWoEC9ULzLYJuTagjK3cjk0VkKLocakRcsb9dtFcxgZGdQHfM
+X7mD9epuJmqB4a6TOZoL/tiq28ORakUbjYfLz9ngnqd/pJkn9MNWcxy3yBtOdTYq
+ce+61/XQk4cR2tH8V2eP7fL8YMboNkPPbcbKlcvKG/TgaS0tVrFMUmA1xmDihzf6
+gupAANlcMkYo0hm+z1hLvgqosp14oTocJeXLAFVw5dxnb9bmqjBy+77u/rqrY0Ek
+LQd9XnXgowUQl0RSNXgcIIfEkVBipL/2YB+MFBmMQKcTDXX7lc/hl6W4BFmVj2KH
+kPdZzUOJQVYfe90Rt3hfXHViUw118hkTaJhrCPVwkFbaUWscEA2OaFI=
+=QzSY
+-----END PGP PUBLIC KEY BLOCK-----