filbranden / rpms / dnf

Forked from rpms/dnf 4 years ago
Clone

Blame SOURCES/1293.patch

c5a933
From 7f6d223078599c3a6a2f26bf89ba8a91afd4cb88 Mon Sep 17 00:00:00 2001
c5a933
From: Michal Domonkos <mdomonko@redhat.com>
c5a933
Date: Mon, 17 Dec 2018 14:38:22 +0100
c5a933
Subject: [PATCH] Add basic integration with %_pkgverify_level
c5a933
c5a933
RPM 4.14.2 introduced a new low-level security policy for package
c5a933
verification configured with the %_pkgverify_level macro:
c5a933
c5a933
http://rpm.org/wiki/Releases/4.14.2
c5a933
c5a933
In DNF, signature verification is done via RPM but in a separate step
c5a933
that precedes the transaction itself (BaseCli.gpgsigcheck()).  We can
c5a933
make use of that to catch signature errors and/or import public keys the
c5a933
same way as if gpgcheck was enabled from the start.  To that end, this
c5a933
commit forces the gpgcheck and localpkg_gpgcheck options to True if the
c5a933
policy would result in signature verification anyway.
c5a933
c5a933
Resolves RHEL-8 bug:
c5a933
https://bugzilla.redhat.com/show_bug.cgi?id=1614351
c5a933
---
c5a933
 dnf/cli/cli.py           | 18 ++++++++++++++++++
c5a933
 dnf/cli/option_parser.py |  2 +-
c5a933
 doc/command_ref.rst      |  2 +-
c5a933
 doc/conf_ref.rst         | 12 ++++++++++--
c5a933
 4 files changed, 30 insertions(+), 4 deletions(-)
c5a933
c5a933
diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py
c5a933
index ea328702f4..522a2ad936 100644
c5a933
--- a/dnf/cli/cli.py
c5a933
+++ b/dnf/cli/cli.py
c5a933
@@ -972,6 +972,24 @@ def configure(self, args, option_parser=None):
c5a933
         if self.base.conf.color != 'auto':
c5a933
             self.base.output.term.reinit(color=self.base.conf.color)
c5a933
 
c5a933
+        if rpm.expandMacro('%_pkgverify_level') in ('signature', 'all'):
c5a933
+            forcing = False
c5a933
+            for repo in self.base.repos.iter_enabled():
c5a933
+                if repo.gpgcheck:
c5a933
+                    continue
c5a933
+                repo.gpgcheck = True
c5a933
+                forcing = True
c5a933
+            if not self.base.conf.localpkg_gpgcheck:
c5a933
+                self.base.conf.localpkg_gpgcheck = True
c5a933
+                forcing = True
c5a933
+            if forcing:
c5a933
+                logger.warning(
c5a933
+                    _("Warning: Enforcing GPG signature check globally "
c5a933
+                      "as per active RPM security policy (see 'gpgcheck' in "
c5a933
+                      "dnf.conf(5) for how to squelch this message)"
c5a933
+                      )
c5a933
+                )
c5a933
+
c5a933
     def _read_conf_file(self, releasever=None):
c5a933
         timer = dnf.logging.Timer('config')
c5a933
         conf = self.base.conf
c5a933
diff --git a/dnf/cli/option_parser.py b/dnf/cli/option_parser.py
c5a933
index e60179cfac..ba5a316c79 100644
c5a933
--- a/dnf/cli/option_parser.py
c5a933
+++ b/dnf/cli/option_parser.py
c5a933
@@ -274,7 +274,7 @@ def _main_parser(self):
c5a933
                                  help=_("disable removal of dependencies that are no longer used"))
c5a933
         main_parser.add_argument("--nogpgcheck", action="store_false",
c5a933
                                  default=None, dest='gpgcheck',
c5a933
-                                 help=_("disable gpg signature checking"))
c5a933
+                                 help=_("disable gpg signature checking (if RPM policy allows)"))
c5a933
         main_parser.add_argument("--color", dest="color", default=None,
c5a933
                                  help=_("control whether color is used"))
c5a933
         main_parser.add_argument("--refresh", dest="freshest_metadata",
c5a933
diff --git a/doc/command_ref.rst b/doc/command_ref.rst
c5a933
index 6ba31ff9be..70659e6560 100644
c5a933
--- a/doc/command_ref.rst
c5a933
+++ b/doc/command_ref.rst
c5a933
@@ -275,7 +275,7 @@ Options
c5a933
     do not install documentation by using rpm flag 'RPMTRANS_FLAG_NODOCS'
c5a933
 
c5a933
 ``--nogpgcheck``
c5a933
-    skip checking GPG signatures on packages
c5a933
+    skip checking GPG signatures on packages (if RPM policy allows)
c5a933
 
c5a933
 ``--noplugins``
c5a933
     Disable all plugins.
c5a933
diff --git a/doc/conf_ref.rst b/doc/conf_ref.rst
c5a933
index 979e2d18c6..6bbcbda9c0 100644
c5a933
--- a/doc/conf_ref.rst
c5a933
+++ b/doc/conf_ref.rst
c5a933
@@ -452,7 +452,11 @@ configuration.
c5a933
 ``gpgcheck``
c5a933
     :ref:`boolean <boolean-label>`
c5a933
 
c5a933
-    Whether to perform GPG signature check on packages found in this repository. The default is False.
c5a933
+    Whether to perform GPG signature check on packages found in this repository.
c5a933
+    The default is False.
c5a933
+    This option can only be used to strengthen the active RPM security policy set with the `%_pkgverify_level` macro (see /usr/lib/rpm/macros for details).
c5a933
+    That means, if the macro is set to `signature` or `all` and this option is False, it will be overridden to True when DNF runs and a warning will be printed.
c5a933
+    To squelch the warning, make sure this option is True on every enabled repository and also enable :ref:`localpkg_gpgcheck <localpkg_gpgcheck-label>`.
c5a933
 
c5a933
 .. _include-label:
c5a933
 
c5a933
@@ -470,10 +474,14 @@ configuration.
c5a933
 
c5a933
     Determines how DNF resolves host names. Set this to '4'/'IPv4' or '6'/'IPv6' to resolve to IPv4 or IPv6 addresses only. By default, DNF resolves to either addresses.
c5a933
 
c5a933
+.. _localpkg_gpgcheck-label:
c5a933
+
c5a933
 ``localpkg_gpgcheck``
c5a933
     :ref:`boolean <boolean-label>`
c5a933
 
c5a933
-    Whether to perform a GPG signature check on local packages (packages in a file, not in a repositoy). The default is False.
c5a933
+    Whether to perform a GPG signature check on local packages (packages in a file, not in a repository).
c5a933
+    The default is False.
c5a933
+    This option is subject to the active RPM security policy (see :ref:`gpgcheck <gpgcheck-label>` for more details).
c5a933
 
c5a933
 ``max_parallel_downloads``
c5a933
     :ref:`integer <integer-label>`