|
|
d2a170 |
diff -up yum-3.4.3/docs/yum.conf.5.orig yum-3.4.3/docs/yum.conf.5
|
|
|
d2a170 |
--- yum-3.4.3/docs/yum.conf.5.orig 2017-03-23 13:48:19.700471026 +0100
|
|
|
d2a170 |
+++ yum-3.4.3/docs/yum.conf.5 2017-03-23 13:48:21.455461060 +0100
|
|
|
d2a170 |
@@ -105,6 +105,31 @@ signature check on the repodata. When th
|
|
|
d2a170 |
default for all repositories. The default is `0'.
|
|
|
d2a170 |
|
|
|
d2a170 |
.IP
|
|
|
d2a170 |
+\fBpayload_gpgcheck\fR
|
|
|
d2a170 |
+Either `1' or `0'. This tells yum whether or not it should also perform a GPG
|
|
|
d2a170 |
+signature check on the payload (part of a package holding the actual files that
|
|
|
d2a170 |
+comprise the package).
|
|
|
d2a170 |
+
|
|
|
d2a170 |
+By default, yum only performs GPG signature checks on package headers.
|
|
|
d2a170 |
+Thus, if the payload data has been tampered with or corrupted, yum will fail in
|
|
|
d2a170 |
+the middle of the transaction due to an RPM unpacking error, after some
|
|
|
d2a170 |
+unverified scriptlets might have already run, and possibly leave the package in
|
|
|
d2a170 |
+question partly installed.
|
|
|
d2a170 |
+
|
|
|
d2a170 |
+To prevent all of that, you can enable this option to extend the signature
|
|
|
d2a170 |
+check to also include the payload, so that yum can avoid running the
|
|
|
d2a170 |
+transaction in case of payload corruption.
|
|
|
d2a170 |
+This slightly improves security, however at the expense of significantly
|
|
|
d2a170 |
+increased transaction time, so you may want to only use this option when
|
|
|
d2a170 |
+package corruption is a concern.
|
|
|
d2a170 |
+
|
|
|
d2a170 |
+For this option to have effect, make sure to also enable gpgcheck (or
|
|
|
d2a170 |
+localpkg_gpgcheck for local packages).
|
|
|
d2a170 |
+
|
|
|
d2a170 |
+When this option is set in the [main] section it sets the default for all
|
|
|
d2a170 |
+repositories. The default is `0'.
|
|
|
d2a170 |
+
|
|
|
d2a170 |
+.IP
|
|
|
d2a170 |
\fBskip_broken\fR
|
|
|
d2a170 |
Either `1' or `0'. Resolve depsolve problems by removing packages that
|
|
|
d2a170 |
are causing problems from the transaction.
|
|
|
d2a170 |
diff -up yum-3.4.3/rpmUtils/miscutils.py.orig yum-3.4.3/rpmUtils/miscutils.py
|
|
|
d2a170 |
--- yum-3.4.3/rpmUtils/miscutils.py.orig 2011-06-28 22:27:22.000000000 +0200
|
|
|
d2a170 |
+++ yum-3.4.3/rpmUtils/miscutils.py 2017-03-23 13:48:21.455461060 +0100
|
|
|
d2a170 |
@@ -58,11 +58,16 @@ def compareVerOnly(v1, v2):
|
|
|
d2a170 |
"""compare version strings only using rpm vercmp"""
|
|
|
d2a170 |
return compareEVR(('', v1, ''), ('', v2, ''))
|
|
|
d2a170 |
|
|
|
d2a170 |
-def checkSig(ts, package):
|
|
|
d2a170 |
- """Takes a transaction set and a package, check it's sigs,
|
|
|
d2a170 |
+def checkSig(ts, package, payload=False):
|
|
|
d2a170 |
+ """Takes a transaction set and a package, check it's sigs.
|
|
|
d2a170 |
+
|
|
|
d2a170 |
+ By default, only RPMv4 sigs (header-only) will be verified (faster). By
|
|
|
d2a170 |
+ setting payload to True, RPMv3 sigs (header+payload) will also be verified
|
|
|
d2a170 |
+ (slower).
|
|
|
d2a170 |
+
|
|
|
d2a170 |
return 0 if they are all fine
|
|
|
d2a170 |
return 1 if the gpg key can't be found
|
|
|
d2a170 |
- return 2 if the header is in someway damaged
|
|
|
d2a170 |
+ return 2 if the header or payload is in someway damaged
|
|
|
d2a170 |
return 3 if the key is not trusted
|
|
|
d2a170 |
return 4 if the pkg is not gpg or pgp signed"""
|
|
|
d2a170 |
|
|
|
d2a170 |
@@ -89,6 +94,24 @@ def checkSig(ts, package):
|
|
|
d2a170 |
else:
|
|
|
d2a170 |
del hdr
|
|
|
d2a170 |
|
|
|
d2a170 |
+ # Don't perform the payload check if the header check failed, otherwise we
|
|
|
d2a170 |
+ # could mask the reason stored in "value" (we only return one integer from
|
|
|
d2a170 |
+ # this function and shouldn't change that).
|
|
|
d2a170 |
+ if payload and value == 0:
|
|
|
d2a170 |
+ os.lseek(fdno, 0, 0)
|
|
|
d2a170 |
+ # We don't want the OK message to pollute the output but we do want the
|
|
|
d2a170 |
+ # BAD message (verbose version) in case of a failure, which is only
|
|
|
d2a170 |
+ # possible by running _verifySigs() twice (temporary hack until we have
|
|
|
d2a170 |
+ # the proper API for payload verification in RPM).
|
|
|
d2a170 |
+ rpm.setVerbosity(rpm.RPMLOG_WARNING)
|
|
|
d2a170 |
+ valid = ts._verifySigs(fdno, package)
|
|
|
d2a170 |
+ if not valid:
|
|
|
d2a170 |
+ value = 2
|
|
|
d2a170 |
+ os.lseek(fdno, 0, 0)
|
|
|
d2a170 |
+ rpm.setVerbosity(rpm.RPMLOG_INFO)
|
|
|
d2a170 |
+ ts._verifySigs(fdno, package)
|
|
|
d2a170 |
+ rpm.setVerbosity(rpm.RPMLOG_NOTICE)
|
|
|
d2a170 |
+
|
|
|
d2a170 |
try:
|
|
|
d2a170 |
os.close(fdno)
|
|
|
d2a170 |
except OSError, e: # if we're not opened, don't scream about it
|
|
|
d2a170 |
diff -up yum-3.4.3/rpmUtils/transaction.py.orig yum-3.4.3/rpmUtils/transaction.py
|
|
|
d2a170 |
--- yum-3.4.3/rpmUtils/transaction.py.orig 2017-03-23 13:48:19.441472497 +0100
|
|
|
d2a170 |
+++ yum-3.4.3/rpmUtils/transaction.py 2017-03-23 13:48:21.455461060 +0100
|
|
|
d2a170 |
@@ -35,7 +35,8 @@ class TransactionWrapper:
|
|
|
d2a170 |
'setProbFilter',
|
|
|
d2a170 |
'hdrFromFdno',
|
|
|
d2a170 |
'next',
|
|
|
d2a170 |
- 'clean']
|
|
|
d2a170 |
+ 'clean',
|
|
|
d2a170 |
+ '_verifySigs']
|
|
|
d2a170 |
self.tsflags = []
|
|
|
d2a170 |
self.open = True
|
|
|
d2a170 |
|
|
|
d2a170 |
diff -up yum-3.4.3/yum/config.py.orig yum-3.4.3/yum/config.py
|
|
|
d2a170 |
--- yum-3.4.3/yum/config.py.orig 2017-03-23 13:48:19.701471020 +0100
|
|
|
d2a170 |
+++ yum-3.4.3/yum/config.py 2017-03-23 13:48:21.456461055 +0100
|
|
|
d2a170 |
@@ -46,6 +46,7 @@ from misc import get_uuid, read_in_items
|
|
|
d2a170 |
# Alter/patch these to change the default checking...
|
|
|
d2a170 |
__pkgs_gpgcheck_default__ = False
|
|
|
d2a170 |
__repo_gpgcheck_default__ = False
|
|
|
d2a170 |
+__payload_gpgcheck_default__ = False
|
|
|
d2a170 |
__main_multilib_policy_default__ = 'all'
|
|
|
d2a170 |
__main_failovermethod_default__ = 'roundrobin'
|
|
|
d2a170 |
__main_installonly_limit_default__ = 0
|
|
|
d2a170 |
@@ -786,6 +787,7 @@ class YumConf(StartupConf):
|
|
|
d2a170 |
gpgcheck = BoolOption(__pkgs_gpgcheck_default__)
|
|
|
d2a170 |
repo_gpgcheck = BoolOption(__repo_gpgcheck_default__)
|
|
|
d2a170 |
localpkg_gpgcheck = BoolOption(__pkgs_gpgcheck_default__)
|
|
|
d2a170 |
+ payload_gpgcheck = BoolOption(__payload_gpgcheck_default__)
|
|
|
d2a170 |
obsoletes = BoolOption(True)
|
|
|
d2a170 |
showdupesfromrepos = BoolOption(False)
|
|
|
d2a170 |
enabled = BoolOption(True)
|
|
|
d2a170 |
diff -up yum-3.4.3/yum/__init__.py.orig yum-3.4.3/yum/__init__.py
|
|
|
d2a170 |
--- yum-3.4.3/yum/__init__.py.orig 2017-03-23 13:48:19.731470850 +0100
|
|
|
d2a170 |
+++ yum-3.4.3/yum/__init__.py 2017-03-23 13:48:21.456461055 +0100
|
|
|
d2a170 |
@@ -2755,7 +2755,9 @@ much more problems).
|
|
|
d2a170 |
|
|
|
d2a170 |
if check:
|
|
|
d2a170 |
ts = self.rpmdb.readOnlyTS()
|
|
|
d2a170 |
- sigresult = rpmUtils.miscutils.checkSig(ts, po.localPkg())
|
|
|
d2a170 |
+ sigresult = rpmUtils.miscutils.checkSig(
|
|
|
d2a170 |
+ ts, po.localPkg(), payload=self.conf.payload_gpgcheck,
|
|
|
d2a170 |
+ )
|
|
|
d2a170 |
localfn = os.path.basename(po.localPkg())
|
|
|
d2a170 |
|
|
|
d2a170 |
if sigresult == 0:
|