Blame SOURCES/0003-reposync-Check-GPG-signatures-of-downloaded-packages-RhBug-1856818.patch

a6dba4
From a4f21266a6dab9e77913d56c04aba1e579f0e0c1 Mon Sep 17 00:00:00 2001
a6dba4
From: Marek Blaha <mblaha@redhat.com>
a6dba4
Date: Fri, 23 Oct 2020 09:06:35 +0200
a6dba4
Subject: [PATCH 1/2] [reposync] Reorder options alphabetically
a6dba4
a6dba4
---
a6dba4
 doc/reposync.rst    | 30 +++++++++++++++---------------
a6dba4
 plugins/reposync.py | 18 +++++++++---------
a6dba4
 2 files changed, 24 insertions(+), 24 deletions(-)
a6dba4
a6dba4
diff --git a/doc/reposync.rst b/doc/reposync.rst
a6dba4
index 71a435dc..3b820f33 100644
a6dba4
--- a/doc/reposync.rst
a6dba4
+++ b/doc/reposync.rst
a6dba4
@@ -39,36 +39,36 @@ Options
a6dba4
 
a6dba4
 All general DNF options are accepted. Namely, the ``--repoid`` option can be used to specify the repositories to synchronize. See `Options` in :manpage:`dnf(8)` for details.
a6dba4
 
a6dba4
-``-p <download-path>, --download-path=<download-path>``
a6dba4
-    Root path under which the downloaded repositories are stored, relative to the current working directory. Defaults to the current working directory. Every downloaded repository has a subdirectory named after its ID under this path.
a6dba4
-    
a6dba4
-``--norepopath``
a6dba4
-    Don't add the reponame to the download path. Can only be used when syncing a single repository (default is to add the reponame).
a6dba4
-
a6dba4
-``--download-metadata``
a6dba4
-    Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
a6dba4
-
a6dba4
 ``-a <architecture>, --arch=<architecture>``
a6dba4
     Download only packages of given architectures (default is all architectures). Can be used multiple times.
a6dba4
 
a6dba4
-``--source``
a6dba4
-    Operate on source packages.
a6dba4
+``--delete``
a6dba4
+    Delete local packages no longer present in repository.
a6dba4
+
a6dba4
+``--download-metadata``
a6dba4
+    Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
a6dba4
 
a6dba4
 ``-m, --downloadcomps``
a6dba4
     Also download and uncompress comps.xml. Consider using ``--download-metadata`` option which will download all available repository metadata.
a6dba4
 
a6dba4
+``--metadata-path``
a6dba4
+    Root path under which the downloaded metadata are stored. It defaults to ``--download-path`` value if not given.
a6dba4
+
a6dba4
 ``-n, --newest-only``
a6dba4
     Download only newest packages per-repo.
a6dba4
 
a6dba4
-``--delete``
a6dba4
-    Delete local packages no longer present in repository.
a6dba4
+``--norepopath``
a6dba4
+    Don't add the reponame to the download path. Can only be used when syncing a single repository (default is to add the reponame).
a6dba4
 
a6dba4
-``--metadata-path``
a6dba4
-    Root path under which the downloaded metadata are stored. It defaults to ``--download-path`` value if not given.
a6dba4
+``-p <download-path>, --download-path=<download-path>``
a6dba4
+    Root path under which the downloaded repositories are stored, relative to the current working directory. Defaults to the current working directory. Every downloaded repository has a subdirectory named after its ID under this path.
a6dba4
 
a6dba4
 ``--remote-time``
a6dba4
     Try to set the timestamps of the downloaded files to those on the remote side.
a6dba4
 
a6dba4
+``--source``
a6dba4
+    Operate on source packages.
a6dba4
+
a6dba4
 ``-u, --urls``
a6dba4
     Just print urls of what would be downloaded, don't download.
a6dba4
 
a6dba4
diff --git a/plugins/reposync.py b/plugins/reposync.py
a6dba4
index 7556e7eb..6f572cac 100644
a6dba4
--- a/plugins/reposync.py
a6dba4
+++ b/plugins/reposync.py
a6dba4
@@ -63,24 +63,24 @@ def set_argparser(parser):
a6dba4
                             help=_('download only packages for this ARCH'))
a6dba4
         parser.add_argument('--delete', default=False, action='store_true',
a6dba4
                             help=_('delete local packages no longer present in repository'))
a6dba4
-        parser.add_argument('-m', '--downloadcomps', default=False, action='store_true',
a6dba4
-                            help=_('also download and uncompress comps.xml'))
a6dba4
         parser.add_argument('--download-metadata', default=False, action='store_true',
a6dba4
                             help=_('download all the metadata.'))
a6dba4
+        parser.add_argument('-m', '--downloadcomps', default=False, action='store_true',
a6dba4
+                            help=_('also download and uncompress comps.xml'))
a6dba4
+        parser.add_argument('--metadata-path',
a6dba4
+                            help=_('where to store downloaded repository metadata. '
a6dba4
+                                   'Defaults to the value of --download-path.'))
a6dba4
         parser.add_argument('-n', '--newest-only', default=False, action='store_true',
a6dba4
                             help=_('download only newest packages per-repo'))
a6dba4
-        parser.add_argument('-p', '--download-path', default='./',
a6dba4
-                            help=_('where to store downloaded repositories'))
a6dba4
         parser.add_argument('--norepopath', default=False, action='store_true',
a6dba4
                             help=_("Don't add the reponame to the download path."))
a6dba4
-        parser.add_argument('--metadata-path',
a6dba4
-                            help=_('where to store downloaded repository metadata. '
a6dba4
-                                   'Defaults to the value of --download-path.'))
a6dba4
-        parser.add_argument('--source', default=False, action='store_true',
a6dba4
-                            help=_('operate on source packages'))
a6dba4
+        parser.add_argument('-p', '--download-path', default='./',
a6dba4
+                            help=_('where to store downloaded repositories'))
a6dba4
         parser.add_argument('--remote-time', default=False, action='store_true',
a6dba4
                             help=_('try to set local timestamps of local files by '
a6dba4
                                    'the one on the server'))
a6dba4
+        parser.add_argument('--source', default=False, action='store_true',
a6dba4
+                            help=_('operate on source packages'))
a6dba4
         parser.add_argument('-u', '--urls', default=False, action='store_true',
a6dba4
                             help=_("Just list urls of what would be downloaded, "
a6dba4
                                    "don't download"))
a6dba4
a6dba4
From 978b7f2b1c654fed7b1b4cf45cb607143226804c Mon Sep 17 00:00:00 2001
a6dba4
From: Marek Blaha <mblaha@redhat.com>
a6dba4
Date: Fri, 23 Oct 2020 09:14:02 +0200
a6dba4
Subject: [PATCH 2/2] [reposync] Check GPG signatures of downloaded packages
a6dba4
 (RhBug:1856818)
a6dba4
a6dba4
YUMv3 reposync used to have --gpgcheck option to remove packages that fail GPG
a6dba4
signature checking after downloading.
a6dba4
This patch implements the option for DNF.
a6dba4
a6dba4
= changelog =
a6dba4
msg:           Add --gpgcheck option to reposync (RhBug:1856818)
a6dba4
type:          enhancement
a6dba4
resolves:      https://bugzilla.redhat.com/show_bug.cgi?id=1856818
a6dba4
---
a6dba4
 doc/reposync.rst    |  4 ++++
a6dba4
 plugins/reposync.py | 21 +++++++++++++++++++++
a6dba4
 2 files changed, 25 insertions(+)
a6dba4
a6dba4
diff --git a/doc/reposync.rst b/doc/reposync.rst
a6dba4
index 3b820f33..de40957f 100644
a6dba4
--- a/doc/reposync.rst
a6dba4
+++ b/doc/reposync.rst
a6dba4
@@ -48,6 +48,10 @@ All general DNF options are accepted. Namely, the ``--repoid`` option can be use
a6dba4
 ``--download-metadata``
a6dba4
     Download all repository metadata. Downloaded copy is instantly usable as a repository, no need to run createrepo_c on it.
a6dba4
 
a6dba4
+``-g, --gpgcheck``
a6dba4
+    Remove packages that fail GPG signature checking after downloading. Exit code is ``1`` if at least one package was removed.
a6dba4
+    Note that for repositories with ``gpgcheck=0`` set in their configuration the GPG signature is not checked even with this option used.
a6dba4
+
a6dba4
 ``-m, --downloadcomps``
a6dba4
     Also download and uncompress comps.xml. Consider using ``--download-metadata`` option which will download all available repository metadata.
a6dba4
 
a6dba4
diff --git a/plugins/reposync.py b/plugins/reposync.py
a6dba4
index 6f572cac..c891bfa2 100644
a6dba4
--- a/plugins/reposync.py
a6dba4
+++ b/plugins/reposync.py
a6dba4
@@ -24,6 +24,7 @@
a6dba4
 import hawkey
a6dba4
 import os
a6dba4
 import shutil
a6dba4
+import types
a6dba4
 
a6dba4
 from dnfpluginscore import _, logger
a6dba4
 from dnf.cli.option_parser import OptionParser
a6dba4
@@ -65,6 +66,9 @@ def set_argparser(parser):
a6dba4
                             help=_('delete local packages no longer present in repository'))
a6dba4
         parser.add_argument('--download-metadata', default=False, action='store_true',
a6dba4
                             help=_('download all the metadata.'))
a6dba4
+        parser.add_argument('-g', '--gpgcheck', default=False, action='store_true',
a6dba4
+                            help=_('Remove packages that fail GPG signature checking '
a6dba4
+                                   'after downloading'))
a6dba4
         parser.add_argument('-m', '--downloadcomps', default=False, action='store_true',
a6dba4
                             help=_('also download and uncompress comps.xml'))
a6dba4
         parser.add_argument('--metadata-path',
a6dba4
@@ -114,6 +118,7 @@ def configure(self):
a6dba4
 
a6dba4
     def run(self):
a6dba4
         self.base.conf.keepcache = True
a6dba4
+        gpgcheck_ok = True
a6dba4
         for repo in self.base.repos.iter_enabled():
a6dba4
             if self.opts.remote_time:
a6dba4
                 repo._repo.setPreserveRemoteTime(True)
a6dba4
@@ -150,8 +155,24 @@ def run(self):
a6dba4
                 self.print_urls(pkglist)
a6dba4
             else:
a6dba4
                 self.download_packages(pkglist)
a6dba4
+                if self.opts.gpgcheck:
a6dba4
+                    for pkg in pkglist:
a6dba4
+                        local_path = self.pkg_download_path(pkg)
a6dba4
+                        # base.package_signature_check uses pkg.localPkg() to determine
a6dba4
+                        # the location of the package rpm file on the disk.
a6dba4
+                        # Set it to the correct download path.
a6dba4
+                        pkg.localPkg  = types.MethodType(
a6dba4
+                            lambda s, local_path=local_path: local_path, pkg)
a6dba4
+                        result, error = self.base.package_signature_check(pkg)
a6dba4
+                        if result != 0:
a6dba4
+                            logger.warning(_("Removing {}: {}").format(
a6dba4
+                                os.path.basename(local_path), error))
a6dba4
+                            os.unlink(local_path)
a6dba4
+                            gpgcheck_ok = False
a6dba4
             if self.opts.delete:
a6dba4
                 self.delete_old_local_packages(repo, pkglist)
a6dba4
+        if not gpgcheck_ok:
a6dba4
+            raise dnf.exceptions.Error(_("GPG signature check failed."))
a6dba4
 
a6dba4
     def repo_target(self, repo):
a6dba4
         return _pkgdir(self.opts.destdir or self.opts.download_path,