This depends on pykickstart support https://github.com/rhinstaller/pykickstart/pull/32
The `gpgsigcheck` function is almost 1-1 copy from dnf/cli/cli.py.
Warning: I haven't tested this in this particular case, but very similar code in [pungi](https://pagure.io/pungi/pull-request/63) and [livecd-tools](https://github.com/rhinstaller/livecd-tools/pull/14) works just fine.
One thing I'm not sure about is error reporting: currently signature verification failure causes `dnf.exceptions.Error`, which isn't handled by this code. Should some other exception be used? Or something else (`errors.errorHandler`?)?
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= marmarek@invisiblethingslab.com
This adds ability to verify gpg signatures on downloaded packages, which is especially important when installing from network repository (instead of local DVD/disk).
This change depends on pykickstart support here: https://github.com/rhinstaller/pykickstart/pull/32 --- pyanaconda/kickstart.py | 4 ++-- pyanaconda/packaging/dnfpayload.py | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/pyanaconda/kickstart.py b/pyanaconda/kickstart.py index 4fead23..3c6bfc4 100644 --- a/pyanaconda/kickstart.py +++ b/pyanaconda/kickstart.py @@ -1575,7 +1575,7 @@ def execute(self, storage, ksdata, instClass): parents=request) storage.createDevice(luksdev)
-class RepoData(commands.repo.F21_RepoData): +class RepoData(commands.repo.F23_RepoData): def __init__(self, *args, **kwargs): """ Add enabled kwarg
@@ -1585,7 +1585,7 @@ def __init__(self, *args, **kwargs): self.enabled = kwargs.pop("enabled", True) self.repo_id = kwargs.pop("repo_id", None)
- commands.repo.F21_RepoData.__init__(self, *args, **kwargs) + commands.repo.F23_RepoData.__init__(self, *args, **kwargs)
class ReqPart(commands.reqpart.F23_ReqPart): def execute(self, storage, ksdata, instClass): diff --git a/pyanaconda/packaging/dnfpayload.py b/pyanaconda/packaging/dnfpayload.py index db49d66..7d4dffb 100644 --- a/pyanaconda/packaging/dnfpayload.py +++ b/pyanaconda/packaging/dnfpayload.py @@ -269,6 +269,10 @@ def _add_repo(self, ksrepo): if ksrepo.excludepkgs: repo.exclude = ksrepo.excludepkgs
+ if ksrepo.gpgkey: + repo.gpgkey = ksrepo.gpgkey + repo.gpgcheck = True + # If this repo is already known, it's one of two things: # (1) The user is trying to do "repo --name=updates" in a kickstart file # and we should just know to enable the already existing on-disk
In reply to line 1578 of pyanaconda/kickstart.py:
This will need to be changed to be based off F24, since F23 won't have support for this. Then, the pykickstart PR will also need to be changed. And then I'll need to add F24 support for pykickstart in the first place. I'd been avoiding doing that as long as possible in order to keep master and F23 the same, but I've probably held out as long as I can.
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= marmarek@invisiblethingslab.com
--- pyanaconda/packaging/dnfpayload.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
diff --git a/pyanaconda/packaging/dnfpayload.py b/pyanaconda/packaging/dnfpayload.py index 7d4dffb..292420e 100644 --- a/pyanaconda/packaging/dnfpayload.py +++ b/pyanaconda/packaging/dnfpayload.py @@ -675,6 +675,30 @@ def gatherRepoMetadata(self): self._base.read_comps() self._refreshEnvironmentAddons()
+ def gpgsigcheck(self, pkgs): + """Perform GPG signature verification on the given packages, + installing keys if possible. + + :param pkgs: a list of package objects to verify the GPG + signatures of + :return: None + :raises: Will raise :class:`Error` if there's a problem + """ + for po in pkgs: + result, errmsg = self._base.sigCheckPkg(po) + + if result == 0: + # Verified ok, or verify not req'd + continue + elif result == 1: + # the callback here expects to be able to take options, which + # we don't need; it is used for key import confirmation + fn = lambda x, y, z: True + self._base.getKeyForPackage(po, fn) + else: + # Fatal error + raise dnf.exceptions.Error(errmsg) + def install(self): progress_message(N_('Starting package installation process'))
@@ -703,6 +727,9 @@ def install(self): if errors.errorHandler.cb(exc) == errors.ERROR_RAISE: _failure_limbo()
+ # Verify GPG signatures + self.gpgsigcheck(pkgs_to_download) + log.info('Downloading packages finished.')
pre_msg = (N_("Preparing transaction from installation source"))
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= marmarek@invisiblethingslab.com
--- pyanaconda/packaging/dnfpayload.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/pyanaconda/packaging/dnfpayload.py b/pyanaconda/packaging/dnfpayload.py index 292420e..697b30c 100644 --- a/pyanaconda/packaging/dnfpayload.py +++ b/pyanaconda/packaging/dnfpayload.py @@ -728,7 +728,13 @@ def install(self): _failure_limbo()
# Verify GPG signatures - self.gpgsigcheck(pkgs_to_download) + try: + self.gpgsigcheck(pkgs_to_download) + except dnf.exceptions.Error as e: + msg = 'Signature verification failed: %s' % str(e) + exc = packaging.PayloadInstallError(msg) + if errors.errorHandler.cb(exc) == errors.ERROR_RAISE: + _failure_limbo()
log.info('Downloading packages finished.')
Ok, done.
anaconda-patches@lists.fedorahosted.org