This depends on pykickstart support https://github.com/rhinstaller/pykickstart/pull/32
The `gpgsigcheck` function is almost 1-1 copy from dnf/cli/cli.py.
Warning: I haven't tested this in this particular case, but very similar code in [pungi](https://pagure.io/pungi/pull-request/63) and [livecd-tools](https://github.com/rhinstaller/livecd-tools/pull/14) works just fine.
One thing I'm not sure about is error reporting: currently signature verification failure causes `dnf.exceptions.Error`, which isn't handled by this code. Should some other exception be used? Or something else (`errors.errorHandler`?)?
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= marmarek@invisiblethingslab.com
This adds ability to verify gpg signatures on downloaded packages, which is especially important when installing from network repository (instead of local DVD/disk).
This change depends on pykickstart support here: https://github.com/rhinstaller/pykickstart/pull/32 --- pyanaconda/kickstart.py | 4 ++-- pyanaconda/packaging/dnfpayload.py | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/pyanaconda/kickstart.py b/pyanaconda/kickstart.py index 4fead23..23dc9a2 100644 --- a/pyanaconda/kickstart.py +++ b/pyanaconda/kickstart.py @@ -1575,7 +1575,7 @@ def execute(self, storage, ksdata, instClass): parents=request) storage.createDevice(luksdev)
-class RepoData(commands.repo.F21_RepoData): +class RepoData(commands.repo.F24_RepoData): def __init__(self, *args, **kwargs): """ Add enabled kwarg
@@ -1585,7 +1585,7 @@ def __init__(self, *args, **kwargs): self.enabled = kwargs.pop("enabled", True) self.repo_id = kwargs.pop("repo_id", None)
- commands.repo.F21_RepoData.__init__(self, *args, **kwargs) + commands.repo.F24_RepoData.__init__(self, *args, **kwargs)
class ReqPart(commands.reqpart.F23_ReqPart): def execute(self, storage, ksdata, instClass): diff --git a/pyanaconda/packaging/dnfpayload.py b/pyanaconda/packaging/dnfpayload.py index db49d66..7d4dffb 100644 --- a/pyanaconda/packaging/dnfpayload.py +++ b/pyanaconda/packaging/dnfpayload.py @@ -269,6 +269,10 @@ def _add_repo(self, ksrepo): if ksrepo.excludepkgs: repo.exclude = ksrepo.excludepkgs
+ if ksrepo.gpgkey: + repo.gpgkey = ksrepo.gpgkey + repo.gpgcheck = True + # If this repo is already known, it's one of two things: # (1) The user is trying to do "repo --name=updates" in a kickstart file # and we should just know to enable the already existing on-disk
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= marmarek@invisiblethingslab.com
--- pyanaconda/packaging/dnfpayload.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
diff --git a/pyanaconda/packaging/dnfpayload.py b/pyanaconda/packaging/dnfpayload.py index 7d4dffb..292420e 100644 --- a/pyanaconda/packaging/dnfpayload.py +++ b/pyanaconda/packaging/dnfpayload.py @@ -675,6 +675,30 @@ def gatherRepoMetadata(self): self._base.read_comps() self._refreshEnvironmentAddons()
+ def gpgsigcheck(self, pkgs): + """Perform GPG signature verification on the given packages, + installing keys if possible. + + :param pkgs: a list of package objects to verify the GPG + signatures of + :return: None + :raises: Will raise :class:`Error` if there's a problem + """ + for po in pkgs: + result, errmsg = self._base.sigCheckPkg(po) + + if result == 0: + # Verified ok, or verify not req'd + continue + elif result == 1: + # the callback here expects to be able to take options, which + # we don't need; it is used for key import confirmation + fn = lambda x, y, z: True + self._base.getKeyForPackage(po, fn) + else: + # Fatal error + raise dnf.exceptions.Error(errmsg) + def install(self): progress_message(N_('Starting package installation process'))
@@ -703,6 +727,9 @@ def install(self): if errors.errorHandler.cb(exc) == errors.ERROR_RAISE: _failure_limbo()
+ # Verify GPG signatures + self.gpgsigcheck(pkgs_to_download) + log.info('Downloading packages finished.')
pre_msg = (N_("Preparing transaction from installation source"))
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= marmarek@invisiblethingslab.com
--- pyanaconda/packaging/dnfpayload.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/pyanaconda/packaging/dnfpayload.py b/pyanaconda/packaging/dnfpayload.py index 292420e..697b30c 100644 --- a/pyanaconda/packaging/dnfpayload.py +++ b/pyanaconda/packaging/dnfpayload.py @@ -728,7 +728,13 @@ def install(self): _failure_limbo()
# Verify GPG signatures - self.gpgsigcheck(pkgs_to_download) + try: + self.gpgsigcheck(pkgs_to_download) + except dnf.exceptions.Error as e: + msg = 'Signature verification failed: %s' % str(e) + exc = packaging.PayloadInstallError(msg) + if errors.errorHandler.cb(exc) == errors.ERROR_RAISE: + _failure_limbo()
log.info('Downloading packages finished.')
Updated this for F24 pykickstart. The branch name is somehow outdated now...
anaconda-patches@lists.fedorahosted.org