|
 |
ba72f7 |
From 7f6d223078599c3a6a2f26bf89ba8a91afd4cb88 Mon Sep 17 00:00:00 2001
|
|
|
ba72f7 |
From: Michal Domonkos <mdomonko@redhat.com>
|
|
|
ba72f7 |
Date: Mon, 17 Dec 2018 14:38:22 +0100
|
|
|
ba72f7 |
Subject: [PATCH] Add basic integration with %_pkgverify_level
|
|
|
ba72f7 |
|
|
|
ba72f7 |
RPM 4.14.2 introduced a new low-level security policy for package
|
|
|
ba72f7 |
verification configured with the %_pkgverify_level macro:
|
|
|
ba72f7 |
|
|
|
ba72f7 |
http://rpm.org/wiki/Releases/4.14.2
|
|
|
ba72f7 |
|
|
|
ba72f7 |
In DNF, signature verification is done via RPM but in a separate step
|
|
|
ba72f7 |
that precedes the transaction itself (BaseCli.gpgsigcheck()). We can
|
|
|
ba72f7 |
make use of that to catch signature errors and/or import public keys the
|
|
|
ba72f7 |
same way as if gpgcheck was enabled from the start. To that end, this
|
|
|
ba72f7 |
commit forces the gpgcheck and localpkg_gpgcheck options to True if the
|
|
|
ba72f7 |
policy would result in signature verification anyway.
|
|
|
ba72f7 |
|
|
|
ba72f7 |
Resolves RHEL-8 bug:
|
|
|
ba72f7 |
https://bugzilla.redhat.com/show_bug.cgi?id=1614351
|
|
|
ba72f7 |
---
|
|
|
ba72f7 |
dnf/cli/cli.py | 18 ++++++++++++++++++
|
|
|
ba72f7 |
dnf/cli/option_parser.py | 2 +-
|
|
|
ba72f7 |
doc/command_ref.rst | 2 +-
|
|
|
ba72f7 |
doc/conf_ref.rst | 12 ++++++++++--
|
|
|
ba72f7 |
4 files changed, 30 insertions(+), 4 deletions(-)
|
|
|
ba72f7 |
|
|
|
ba72f7 |
diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py
|
|
|
ba72f7 |
index ea328702f4..522a2ad936 100644
|
|
|
ba72f7 |
--- a/dnf/cli/cli.py
|
|
|
ba72f7 |
+++ b/dnf/cli/cli.py
|
|
|
ba72f7 |
@@ -972,6 +972,24 @@ def configure(self, args, option_parser=None):
|
|
|
ba72f7 |
if self.base.conf.color != 'auto':
|
|
|
ba72f7 |
self.base.output.term.reinit(color=self.base.conf.color)
|
|
|
ba72f7 |
|
|
|
ba72f7 |
+ if rpm.expandMacro('%_pkgverify_level') in ('signature', 'all'):
|
|
|
ba72f7 |
+ forcing = False
|
|
|
ba72f7 |
+ for repo in self.base.repos.iter_enabled():
|
|
|
ba72f7 |
+ if repo.gpgcheck:
|
|
|
ba72f7 |
+ continue
|
|
|
ba72f7 |
+ repo.gpgcheck = True
|
|
|
ba72f7 |
+ forcing = True
|
|
|
ba72f7 |
+ if not self.base.conf.localpkg_gpgcheck:
|
|
|
ba72f7 |
+ self.base.conf.localpkg_gpgcheck = True
|
|
|
ba72f7 |
+ forcing = True
|
|
|
ba72f7 |
+ if forcing:
|
|
|
ba72f7 |
+ logger.warning(
|
|
|
ba72f7 |
+ _("Warning: Enforcing GPG signature check globally "
|
|
|
ba72f7 |
+ "as per active RPM security policy (see 'gpgcheck' in "
|
|
|
ba72f7 |
+ "dnf.conf(5) for how to squelch this message)"
|
|
|
ba72f7 |
+ )
|
|
|
ba72f7 |
+ )
|
|
|
ba72f7 |
+
|
|
|
ba72f7 |
def _read_conf_file(self, releasever=None):
|
|
|
ba72f7 |
timer = dnf.logging.Timer('config')
|
|
|
ba72f7 |
conf = self.base.conf
|
|
|
ba72f7 |
diff --git a/dnf/cli/option_parser.py b/dnf/cli/option_parser.py
|
|
|
ba72f7 |
index e60179cfac..ba5a316c79 100644
|
|
|
ba72f7 |
--- a/dnf/cli/option_parser.py
|
|
|
ba72f7 |
+++ b/dnf/cli/option_parser.py
|
|
|
ba72f7 |
@@ -274,7 +274,7 @@ def _main_parser(self):
|
|
|
ba72f7 |
help=_("disable removal of dependencies that are no longer used"))
|
|
|
ba72f7 |
main_parser.add_argument("--nogpgcheck", action="store_false",
|
|
|
ba72f7 |
default=None, dest='gpgcheck',
|
|
|
ba72f7 |
- help=_("disable gpg signature checking"))
|
|
|
ba72f7 |
+ help=_("disable gpg signature checking (if RPM policy allows)"))
|
|
|
ba72f7 |
main_parser.add_argument("--color", dest="color", default=None,
|
|
|
ba72f7 |
help=_("control whether color is used"))
|
|
|
ba72f7 |
main_parser.add_argument("--refresh", dest="freshest_metadata",
|
|
|
ba72f7 |
diff --git a/doc/command_ref.rst b/doc/command_ref.rst
|
|
|
ba72f7 |
index 6ba31ff9be..70659e6560 100644
|
|
|
ba72f7 |
--- a/doc/command_ref.rst
|
|
|
ba72f7 |
+++ b/doc/command_ref.rst
|
|
|
ba72f7 |
@@ -275,7 +275,7 @@ Options
|
|
|
ba72f7 |
do not install documentation by using rpm flag 'RPMTRANS_FLAG_NODOCS'
|
|
|
ba72f7 |
|
|
|
ba72f7 |
``--nogpgcheck``
|
|
|
ba72f7 |
- skip checking GPG signatures on packages
|
|
|
ba72f7 |
+ skip checking GPG signatures on packages (if RPM policy allows)
|
|
|
ba72f7 |
|
|
|
ba72f7 |
``--noplugins``
|
|
|
ba72f7 |
Disable all plugins.
|
|
|
ba72f7 |
diff --git a/doc/conf_ref.rst b/doc/conf_ref.rst
|
|
|
ba72f7 |
index 979e2d18c6..6bbcbda9c0 100644
|
|
|
ba72f7 |
--- a/doc/conf_ref.rst
|
|
|
ba72f7 |
+++ b/doc/conf_ref.rst
|
|
|
ba72f7 |
@@ -452,7 +452,11 @@ configuration.
|
|
|
ba72f7 |
``gpgcheck``
|
|
|
ba72f7 |
:ref:`boolean <boolean-label>`
|
|
|
ba72f7 |
|
|
|
ba72f7 |
- Whether to perform GPG signature check on packages found in this repository. The default is False.
|
|
|
ba72f7 |
+ Whether to perform GPG signature check on packages found in this repository.
|
|
|
ba72f7 |
+ The default is False.
|
|
|
ba72f7 |
+ This option can only be used to strengthen the active RPM security policy set with the `%_pkgverify_level` macro (see /usr/lib/rpm/macros for details).
|
|
|
ba72f7 |
+ That means, if the macro is set to `signature` or `all` and this option is False, it will be overridden to True when DNF runs and a warning will be printed.
|
|
|
ba72f7 |
+ To squelch the warning, make sure this option is True on every enabled repository and also enable :ref:`localpkg_gpgcheck <localpkg_gpgcheck-label>`.
|
|
|
ba72f7 |
|
|
|
ba72f7 |
.. _include-label:
|
|
|
ba72f7 |
|
|
|
ba72f7 |
@@ -470,10 +474,14 @@ configuration.
|
|
|
ba72f7 |
|
|
|
ba72f7 |
Determines how DNF resolves host names. Set this to '4'/'IPv4' or '6'/'IPv6' to resolve to IPv4 or IPv6 addresses only. By default, DNF resolves to either addresses.
|
|
|
ba72f7 |
|
|
|
ba72f7 |
+.. _localpkg_gpgcheck-label:
|
|
|
ba72f7 |
+
|
|
|
ba72f7 |
``localpkg_gpgcheck``
|
|
|
ba72f7 |
:ref:`boolean <boolean-label>`
|
|
|
ba72f7 |
|
|
|
ba72f7 |
- Whether to perform a GPG signature check on local packages (packages in a file, not in a repositoy). The default is False.
|
|
|
ba72f7 |
+ Whether to perform a GPG signature check on local packages (packages in a file, not in a repository).
|
|
|
ba72f7 |
+ The default is False.
|
|
|
ba72f7 |
+ This option is subject to the active RPM security policy (see :ref:`gpgcheck <gpgcheck-label>` for more details).
|
|
|
ba72f7 |
|
|
|
ba72f7 |
``max_parallel_downloads``
|
|
|
ba72f7 |
:ref:`integer <integer-label>`
|